Created
October 13, 2022 11:37
-
-
Save pfuntner/54fe96bacd52fc6e2499989a3ef44a7e to your computer and use it in GitHub Desktop.
Debian 11 CIS-CAT V4.22 report
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html | |
| PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | |
| <html xmlns="http://www.w3.org/1999/xhtml" xmlns:cce="http://benchmarks.cisecurity.org/cce/1.0" xmlns:controls="http://cisecurity.org/controls" xmlns:cc6="http://cisecurity.org/20-cc/v6.1" xmlns:c7="http://cisecurity.org/20-cc/v7.0" xmlns:c8="http://cisecurity.org/20-cc/v8.0" xmlns:cc7="http://cisecurity.org/20-cc/v7.0" xmlns:cve="http://benchmarks.cisecurity.org/cve/1.1" xmlns:check="local:check" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" xmlns:fn="stylesheet-function" xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" xmlns:oval-sc="http://oval.mitre.org/XMLSchema/oval-system-characteristics-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-res="http://oval.mitre.org/XMLSchema/oval-results-5" xmlns:ccpd="http://benchmarks.cisecurity.org/ccpd" xmlns:output="http://www.w3.org/2010/xslt-xquery-serialization" xml:lang="en" lang="en"> | |
| <!-- This XHTML page was generated by the Configuration Assessment Tool (CIS-CAT) from the Center for Internet Security --> | |
| <!-- For further information, please visit the Center for Internet Security web site at http://benchmarks.cisecurity.org/ --> | |
| <!-- transformation performed 2022-10-10T08:13:01.963491Z using Saxonica version HE 9.9.0.2--> | |
| <head> | |
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></meta> | |
| <meta name="date" content="2022-10-10T08:13:01.963491Z"></meta> | |
| <title>Benchmark Result xccdf_org.cisecurity.benchmarks_testresult_1.0.0_CIS_Debian_Linux_11_Benchmark</title> | |
| <style type="text/css">/* Copyright © 2010 — Center for Internet Security */ /**************** GENERAL FORMATTING AND LAYOUT STYLES ******************/ body { /*font-family: "Verdana","Arial", "Arial Unicode MS", "Lucida Grande", "Lucida Sans Unicode", "Lucida Sans", sans-serif;*/ font-family: "Arial", "Arial Unicode MS", sans-serif; font-style: normal; font-weight: normal; font-size: 12pt; background-color: #505050; } p { font-size: 12pt; font-weight: normal; font-style: normal; } p.explanation, p.rationale, p.check { font-weight: bold; } h1 { font-size: 18pt; } h2 { font-size: 16pt; } h3 { font-size: 14pt; } h4 { font-size: 13pt; } h5 { font-size: 12pt; } h6 { font-size: 12pt; } ol, ul, li { font-weight: normal; font-style: normal; font-size: 10pt; } div, span { font-weight: normal; font-style: normal; font-size: 12pt; } pre { white-space:pre; font-weight: normal; font-size: 10pt; } #reportContainer{ width: 892px; margin: 0 auto; background-color: #ffffff; } #footerContainer { width: 892px; margin-left: -10px; margin-bottom: -10px; } #detailsContainer { page-break-before: always; padding: 10px; } .ruleTitle { color: #1F497D; width: 90%; margin-top: 10px; } .ruleResultArea { float: right; margin-top: 10px } /**************** END GENERAL FORMATTING AND LAYOUT STYLES ******************/ /**************** STYLES USED FOR HIDING AND DISPLAYING OF RULES ************/ /******* DO NOT CHANGE THE NAMES AS THEY ARE USED IN JavaScript *************/ .hidden, .tableHidden { display:none; } .visible { display:block; } .tableVisible { display:table-row; } /************ END STYLES USED FOR HIDING AND DISPLAYING OF RULES ************/ /**************** TABLE SPECIFIC FORMATTING STYLES ******************/ table { empty-cells: show; font-weight: normal; font-style: normal; font-size: smaller; } table caption { text-align: left; } table.profile { table-layout: fixed; } thead { /*color:rgb(254,189,59);*/ color: rgb(255,255,255); /*#72a94e;*/ background-color:rgb(0, 59, 92); } tbody { color: inherit; background-color: #f0f0f0; } tbody.tbe { color: inherit; background-color: #ffffff; } tbody td.group { color: inherit; } .ruleGroupTitle { color: #1f497d; } tfoot { color: inherit; background-color: #f0f0f0; } tfoot th { color: inherit; background-color: #d0d0d0; } table.result { font-size: 12px; font-family: courier, fixed, monospace; } table.enum { font-size: 11px; border-collapse: collapse; } table.enum td.enum_name { font-weight: bold; vertical-align: middle; } table.evidence { font-size: 12px; border-collapse: collapse; } table.evidence-sep { font-size: 12px; border-collapse: collapse; border-top: 2px solid rgb(0, 59, 92); border-bottom: 2px solid black; } table.evidence-multi { border-top: 2px solid rgb(0, 59, 92); } tr.evidence_check_header { border-top: solid black 1px; } td.evidence { color:rgb(255,255,255); background-color:rgb(0, 59, 92); } td.evidence_bold { font-weight: bold; color:rgb(255,255,255); background-color:rgb(0, 59, 92); } tr.evaluated { background-color: #bee5eb; } .bu { font-size: 12px; font-weight: bold; } .but { font-size: 12px; font-weight: bold; text-decoration:underline; } .logop { font-weight: bold; font-style: italic; font-size: 12px; } /**************** END TABLE SPECIFIC FORMATTING STYLES ******************/ /**************** RULE AND ASSESSMENT DETAILS FORMATTING STYLES ********/ div.Rule { margin-top: 1em; padding-left: 1em; padding-right: 1em; padding-bottom: 1em; border-style: double; border-width: thin; } div.warning:before { color: red; background-color: inherit; font-weight: bold; content: "⚠ Warning ⚠"; display: block; } div.warning { margin-left: 1in; margin-right: 1in; margin-top: 1em; margin-bottom: 1em; color: inherit; background-color: #ffc6c6; text-align: center; border-style: double; border-color: red; } div.question:before { font-weight: bold; content: "Question:"; display: block; } div.question { margin-top: 1em; } .question { font-style:italic; } div.rationale:before { font-weight: bold; content: "Rationale:"; display: block; } div.rationale { margin-top: 1em; } div.check:before { font-weight: bold; /*content: "Test(s)";*/ content: "Assessment:"; display: block; } div.check { margin-top: 1em; /*border-style: dotted;*/ /*border-width: thin;*/ overflow-x:auto; /*background-color: #eee;*/ } div.fixtext:before { font-weight: bold; content: "Remediation:"; display: block; } div.fixtext { margin-top: 1em; } div.message:before { font-weight: bold; content: "Note(s):"; display: block; } div.message { margin-top: 1em; } div.fix:before { font-weight: bold; content: "Remediation command(s):"; display: block; } div.fix { margin-top: 1em; } div.platform { margin-top: 1em; } li.operator { list-style-type: none; } samp { display: block; color: inherit; background-color: #f0f0f0; } span.outcome { float: right; clear: right; } div.backtop { text-align: right; clear: both; margin-top: 1em; font-size: 11px; } .code_block { background-color: rgb(221,217,195); border: 1px solid black; font-family: courier, fixed, monospace; font-size: 10pt; display: block; } code { color: inherit; background-color: rgb(221,217,195); font-size: 10pt; /*WKM 07.01.2013 - Commented out as it was causing some whack formatting*/ /*white-space:pre-wrap;*/ } .registry_key { color: inherit; background-color: inherit; font-family: courier, fixed, monospace; } code.sh.root:first-child:before { content: "# "; } code.sh.user:first-child:before { content: "$ "; } code.sh { display: block; } code.shell:before { content: "# "; } code.SQL:before { content: "SQL: "; } code.path:before { content: "path: "; } code.oracle-parameter:before { content: "test: "; } div.xml { margin-top: 0em; border-style: dashed; border-width: thin; display: none; height:25em; overflow:scroll; background-color: #eee; } div.cmd { margin-top: 0em; border-style: dashed; border-width: thin; display: none; height:5em; overflow:scroll; background-color: #eee; resize: vertical; } div.evtest { margin-top: 0em; border-style: dashed; border-width: thin; display: none; height:10em; overflow:scroll; background-color: #ffffff; resize: vertical; } div.cveevidence { margin-top: 0em; border-style: dashed; border-width: thin; display: none; height:11em; overflow:scroll; background-color: #eee; } div.cceevidence { margin-top: 0em; border-style: dashed; border-width: thin; display: none; height: 13em; overflow:scroll; background-color: #eee; } div.profile-action { text-align:right; } .pathname, .code, .command, .configtext, span.pathname, span.command, span.inline_block { font-family: courier, fixed, monospace; } span.command { font-weight: bold; } span.test_title { font-size: 11pt; font-weight: bold; } .referenceList li, .referenceList li .bold { font-size: 11px; } .listing { margin:+2em; color: inherit; background-color: #e0e0e0; border-width:thin; border-style:solid; overflow:auto; } .binary:before { content: "[ "; } .binary:after { content: " ]"; } .result-outcome:before { content: "«"; } .result-outcome:after { content: "»"; } div pre { font-size: smaller; } /************ END RULE AND ASSESSMENT DETAILS FORMATTING STYLES ********/ /************************* GENERAL TEXT STYLES *************************/ .highlight { color: inherit; background-color: #FFFFCC; } .weight { text-align: right; } td.numeric { text-align: right; } .underline { text-decoration: underline; } .italic { font-style: italic; } .serif { font-family: cursive; font-style: italic; } .bold { font-weight: bold; } td p:first-child { margin-top: 0; } .pass, .fail, .error { background-color: inherit; } .fail, .false, .vf, .high { color: red; } .pass, .true, .vnf, .low { color: #33CC33; } .error, .medium { color: #FF8000; } .unknown { color: rgb(0, 134, 191); } .notapplicable, .notselected { text-decoration: line-through; color: gray; background-color: inherit; } .informational, .manual, .notchecked { color: gray; background-color: inherit; } .hint, .caption, .action { font-size: smaller; } .action { text-decoration: underline; } .action:hover { border-style: dashed; border-width: thin; cursor: pointer; } .cce-action { text-decoration: underline; font-size: inherit; } .cce-action:hover { border-style: dashed; border-width: thin; cursor: pointer; } .evidence-action { text-decoration: underline; font-size: inherit; } .evidence-action:hover { border-style: dashed; border-width: thin; cursor: pointer; } .block { display:block; border-style: dashed; border-width: thin; } .inline { display:inline; border-bottom:dotted; border-width:thin; } .extends { font-size: 10pt; font-style: italic; } /******************** END GENERAL TEXT STYLES *************************/ /* This style specifies a selected row like you see in the profile area */ .selected-row {background-color:#72a94e; } /********************** STYLES USED IN THE FIRST PAGE OF THE REPORT ***********/ .subBar { background-color: #9cbac7; height: 40px; border-bottom: 1px solid black; border-top: 1px solid white; } div.introFooter { text-align:center; border-bottom: 1px solid black; font-size:8pt; padding-left: 100px; } div.introFooter p { font-size: 8pt; line-height:4pt; } #coverPageTitle { padding-top:200px; height:300px; } #coverPageTitle h1 { text-align:center; padding-left: 100px; font-size:20pt; margin-top: 0px; margin-bottom: 0px; } #coverPageTitle h2 { text-align:center; padding-left: 100px; font-size: 18pt; margin-top: 0px; margin-bottom: 0px; } #coverPageTitle h3 { text-align:center; padding-left: 100px; font-size: 16pt; } #coverPageTitle ul li { text-align:center; padding-left: 60px; list-style-type: none; font-size: 12pt; font-weight: normal; font-style: normal; } #coverPageSubTitle { /*background:url is customizable*/ color: rgb(255,255,255); padding-top: 30px; padding-left: 10px; height:376px; } #coverPageSubTitle ul li { list-style-type: none; font-size: 11pt; font-weight: normal; font-style: normal; } .sectionTitle { color: #000; font-size: 16pt; } ul.unstyled { list-style-type: none; } .subsectionTitle { color: #000; font-size: 12pt; font-style:italic; text-decoration:underline; } /****************** END STYLES USED IN THE FIRST PAGE OF THE REPORT ***********/ /****************** STYLES TO SPECIFY THE INDENTATION IN THE SUMMARY TABLE *********/ .sub0 { background-color: #d0d0d0; font-weight:bold;} /*.sub1 { padding-left: 10px; font-weight:normal;} .sub2 { padding-left: 20px; font-weight:normal;} .sub3 { padding-left: 30px; font-weight:normal;} .sub4 { padding-left: 40px; font-weight:normal;} .sub5 { padding-left: 50px; font-weight:normal;} .sub6 { padding-left: 60px; font-weight:normal;} .sub7 { padding-left: 70px; font-weight:normal;} .sub8 { padding-left: 80px; font-weight:normal;} */ .sub1 { padding-left: 5px; font-weight:normal;} .sub2 { padding-left: 10px; font-weight:normal;} .sub3 { padding-left: 15px; font-weight:normal;} .sub4 { padding-left: 20px; font-weight:normal;} .sub5 { padding-left: 25px; font-weight:normal;} .sub6 { padding-left: 30px; font-weight:normal;} .sub7 { padding-left: 35px; font-weight:normal;} .sub8 { padding-left: 40px; font-weight:normal;} /************* END STYLES TO SPECIFY THE INDENTATION IN THE SUMMARY TABLE *********/ /****************** STYLES TO SPECIFY THE STYLES IN THE ASSESSMENT RESULTS TABLE *********/ .sect { background-color: #d0d0d0;} /***************END STYLES TO SPECIFY THE STYLES IN THE ASSESSMENT RESULTS TABLE *********/ /********************* STYLES FOR THE FOOTER ****************************/ .footerBar { background: rgb(255,255,255); height:75px; border-bottom:1px solid black; border-top:1px solid black; } /********************** END STYLES FOR THE FOOTER ***********************/ /******************** STYLE TO SPECIFY THE HEADER BACKGROUND *******************/ .coverPage { /*background:url is customizable*/ } .logoContainer { position:relative; width:887px; height:100px; } .logoBar { background-color:#ffffff; align:right; position:absolute; top:10px; right:10px; } .coverpageFooterContainer { position:relative; height:64px; } .coverpageFooterBar { background-color:#ffffff; position: absolute; right: 0px; } .outerDiv { width: 100%; text-align: right; // center the content of the container } .innerDiv { display: inline-block; // display inline with abality to provide width/height } #toggleUncheckedItemsArea { text-align: right; clear: both; } #toggleUncheckedItemsArea a { color: gray; font-size: 10pt; } #toggleFailuresOnlyArea { text-align: right; clear: both; } #toggleFailuresOnlyArea a { color: gray; font-size: 10pt; }</style><script type="text/javascript"> | |
| /** | |
| * Can get the ID of the button controlling | |
| * a collapseable box by concatenating | |
| * this string onto the ID of the box itself. | |
| */ | |
| var B_SFIX = "_button"; | |
| /** | |
| * Returns an element in the current HTML document. | |
| * | |
| * @param elementID Identifier of HTML element | |
| * @return HTML element object | |
| */ | |
| function getElementObject(elementID) { | |
| var elemObj = null; | |
| if (document.getElementById) { | |
| elemObj = document.getElementById(elementID); | |
| } | |
| return elemObj; | |
| } | |
| /** | |
| * Closes a collapseable box. | |
| * | |
| * @param boxObj Collapseable box | |
| * @param buttonObj Button controlling box | |
| */ | |
| function closeBox(boxObj, buttonObj) { | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else { | |
| // Change 'display' CSS property of box | |
| boxObj.style.display = "none"; | |
| // Change text of button | |
| if (boxObj.style.display == "none") { | |
| buttonObj.value = "+"; | |
| buttonObj.innerHTML = "Show"; | |
| } | |
| } | |
| } | |
| /** | |
| * Closes a collapseable box. | |
| * | |
| * @param boxObj Collapseable box | |
| * @param buttonObj Button controlling box | |
| */ | |
| function closeBoxML(boxObj, buttonObj) { | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else { | |
| // Change 'display' CSS property of box | |
| boxObj.style.display = "none"; | |
| // Change text of button | |
| if (boxObj.style.display == "none") { | |
| buttonObj.value = "+"; | |
| buttonObj.innerHTML = "More"; | |
| } | |
| } | |
| } | |
| /** | |
| * Opens a collapseable box. | |
| * | |
| * @param boxObj Collapseable box | |
| * @param buttonObj Button controlling box | |
| */ | |
| function openBox(boxObj, buttonObj) { | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else { | |
| // Change 'display' CSS property of box | |
| boxObj.style.display = "block"; | |
| // Change text of button | |
| if (boxObj.style.display == "block") { | |
| buttonObj.value = "-"; | |
| buttonObj.innerHTML = "Hide"; | |
| } | |
| } | |
| } | |
| /** | |
| * Opens a collapseable box. | |
| * | |
| * @param boxObj Collapseable box | |
| * @param buttonObj Button controlling box | |
| */ | |
| function openBoxML(boxObj, buttonObj) { | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else { | |
| // Change 'display' CSS property of box | |
| boxObj.style.display = "block"; | |
| // Change text of button | |
| if (boxObj.style.display == "block") { | |
| buttonObj.value = "-"; | |
| buttonObj.innerHTML = "Less"; | |
| } | |
| } | |
| } | |
| /** | |
| * Sets the state of a collapseable box. | |
| * | |
| * @param boxID Identifier of box | |
| * @param open If true, box is "opened", | |
| * Otherwise, box is "closed". | |
| */ | |
| function setState(boxID, open) { | |
| var boxObj = getElementObject(boxID); | |
| var buttonObj = getElementObject(boxID + B_SFIX); | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else if (open) { | |
| openBox(boxObj, buttonObj); | |
| // Make button visible | |
| buttonObj.style.display = "inline"; | |
| } else { | |
| closeBox(boxObj, buttonObj); | |
| // Make button visible | |
| buttonObj.style.display = "inline"; | |
| } | |
| } | |
| /** | |
| * Sets the state of a collapseable box. | |
| * | |
| * @param boxID Identifier of box | |
| * @param open If true, box is "opened", | |
| * Otherwise, box is "closed". | |
| */ | |
| function setStateML(boxID, open) { | |
| var boxObj = getElementObject(boxID); | |
| var buttonObj = getElementObject(boxID + B_SFIX); | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else if (open) { | |
| openBoxML(boxObj, buttonObj); | |
| // Make button visible | |
| buttonObj.style.display = "inline"; | |
| } else { | |
| closeBoxML(boxObj, buttonObj); | |
| // Make button visible | |
| buttonObj.style.display = "inline"; | |
| } | |
| } | |
| /** | |
| * Switches the state of a collapseable box, e.g. | |
| * if it's opened, it'll be closed, and vice versa. | |
| * | |
| * @param boxID Identifier of box | |
| */ | |
| function switchState(boxID) { | |
| var boxObj = getElementObject(boxID); | |
| var buttonObj = getElementObject(boxID + B_SFIX); | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else if (boxObj.style.display == "none" || boxObj.style.display == "") { | |
| // Box is closed, so open it | |
| openBox(boxObj, buttonObj); | |
| } else if (boxObj.style.display == "block") { | |
| // Box is opened, so close it | |
| closeBox(boxObj, buttonObj); | |
| } | |
| } | |
| /** | |
| * Switches the state of a collapseable box, e.g. | |
| * if it's opened, it'll be closed, and vice versa. | |
| * | |
| * @param boxID Identifier of box | |
| */ | |
| function switchStateML(boxID) { | |
| var boxObj = getElementObject(boxID); | |
| var buttonObj = getElementObject(boxID + B_SFIX); | |
| if (boxObj == null || buttonObj == null) { | |
| // Box or button not found | |
| } else if (boxObj.style.display == "none" || boxObj.style.display == "") { | |
| // Box is closed, so open it | |
| openBoxML(boxObj, buttonObj); | |
| } else if (boxObj.style.display == "block") { | |
| // Box is opened, so close it | |
| closeBoxML(boxObj, buttonObj); | |
| } | |
| } | |
| /** | |
| * Closes all boxes in a given list. | |
| * | |
| * @param boxList Array of box IDs | |
| */ | |
| function collapseAll(boxList) { | |
| var idx; | |
| for (idx = 0; idx < boxList.length; idx++) { | |
| var boxObj = getElementObject(boxList[idx]); | |
| var buttonObj = getElementObject(boxList[idx] + B_SFIX); | |
| closeBox(boxObj, buttonObj); | |
| } | |
| } | |
| /** | |
| * Open all boxes in a given list. | |
| * | |
| * @param boxList Array of box IDs | |
| */ | |
| function expandAll(boxList) { | |
| var idx; | |
| for (idx = 0; idx < boxList.length; idx++) { | |
| var boxObj = getElementObject(boxList[idx]); | |
| var buttonObj = getElementObject(boxList[idx] + B_SFIX); | |
| openBox(boxObj, buttonObj); | |
| } | |
| } | |
| /** | |
| * Makes all the control buttons of boxes appear. | |
| * | |
| * @param boxList Array of box IDs | |
| */ | |
| function viewControlButtons(boxList) { | |
| var idx; | |
| for (idx = 0; idx < boxList.length; idx++) { | |
| buttonObj = getElementObject(boxList[idx] + B_SFIX); | |
| if (buttonObj != null) { | |
| buttonObj.style.display = "inline"; | |
| } | |
| } | |
| } | |
| /** | |
| * Makes all the control buttons of boxes disappear. | |
| * | |
| * @param boxList Array of box IDs | |
| */ | |
| function hideControlButtons(boxList) { | |
| var idx; | |
| for (idx = 0; idx < boxList.length; idx++) { | |
| buttonObj = getElementObject(boxList[idx] + B_SFIX); | |
| if (buttonObj != null) { | |
| buttonObj.style.display = "none"; | |
| } | |
| } | |
| } | |
| function toggleHygieneMoreLink() { | |
| var link = document.getElementById("moreLessLink") | |
| if (link.innerHTML == "More") { | |
| document.getElementById("hygieneMoreInfoDiv").style = "visibility: visible; float: left;" | |
| document.getElementById("moreLessLink").innerHTML = "Less" | |
| } else if (link.innerHTML == "Less") { | |
| document.getElementById("hygieneMoreInfoDiv").style = "display: none; float: left;" | |
| document.getElementById("moreLessLink").innerHTML = "More" | |
| } | |
| } | |
| function checkboxToggled() { | |
| var failuresOnlyCheckbox = document.getElementById("failuresOnlyCheckbox") | |
| var essentialHygieneCheckbox = document.getElementById("essentialHygieneCheckbox") | |
| var showNoControls8Message | |
| if (!failuresOnlyCheckbox.checked && !essentialHygieneCheckbox.checked) { | |
| displayPassAreas() | |
| showNonEssentialHygiene() | |
| } else if (failuresOnlyCheckbox.checked && essentialHygieneCheckbox.checked) { | |
| hidePassAreas() | |
| hideNonEssentialHygiene() | |
| } else if (failuresOnlyCheckbox.checked && !essentialHygieneCheckbox.checked) { | |
| showNonEssentialHygiene() | |
| hidePassAreas() | |
| } else if (!failuresOnlyCheckbox.checked && essentialHygieneCheckbox.checked) { | |
| displayPassAreas() | |
| hideNonEssentialHygiene() | |
| } | |
| } | |
| function showNonEssentialHygiene() { | |
| handleUncheckedDisplay("nonCriticalControlArea", "hidden", "visible"); | |
| handleUncheckedDisplay("nonCriticalControlArea", "tableHidden", "tableVisible"); | |
| } | |
| function hideNonEssentialHygiene() { | |
| handleUncheckedDisplay("nonCriticalControlArea", "visible", "hidden"); | |
| handleUncheckedDisplay("nonCriticalControlArea", "tableVisible", "tableHidden"); | |
| } | |
| /******** WKM *************/ | |
| /** | |
| * Makes all of the pass results disappear -- effectively shows only failures | |
| */ | |
| function hidePassAreas() { | |
| handleUncheckedDisplay("nonFailureArea", "visible", "hidden"); | |
| handleUncheckedDisplay("nonFailureArea", "tableVisible", "tableHidden"); | |
| return false; | |
| } | |
| /** | |
| * Makes all of the pass results show up -- effectively shows all results | |
| */ | |
| function displayPassAreas() { | |
| handleUncheckedDisplay("nonFailureArea", "hidden", "visible"); | |
| handleUncheckedDisplay("nonFailureArea", "tableHidden", "tableVisible"); | |
| return false; | |
| } | |
| /******** WKM *************/ | |
| /** | |
| * Makes all of the not selected results disappear | |
| */ | |
| function hideUncheckedAreas() { | |
| handleUncheckedDisplay("notSelectedArea", "visible", "hidden"); | |
| handleUncheckedDisplay("notSelectedArea", "tableVisible", "tableHidden"); | |
| for (i = 0; i < document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a").length; i++) { | |
| if (document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a")[i].href != "") { | |
| document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a")[i].onclick = displayUncheckedAreas; | |
| document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a")[i].innerHTML = "Display All Defined Tests"; | |
| } | |
| } | |
| return false; | |
| } | |
| /** | |
| * Makes all of the not selected results show up | |
| */ | |
| function displayUncheckedAreas() { | |
| handleUncheckedDisplay("notSelectedArea", "hidden", "visible"); | |
| handleUncheckedDisplay("notSelectedArea", "tableHidden", "tableVisible"); | |
| for (i = 0; i < document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a").length; i++) { | |
| if (document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a")[i].href != "") { | |
| document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a")[i].onclick = hideUncheckedAreas; | |
| document.getElementById("toggleUncheckedItemsArea").getElementsByTagName("a")[i].innerHTML = "Show Applicable Tests Only"; | |
| } | |
| } | |
| return false; | |
| } | |
| /** | |
| * This function handles the work of displaying or hiding all of the not selected rules. | |
| * | |
| * @param displayArea - The class denoting the display area | |
| * @param valueToLookFor - The class we want to look for (hidden or visible) | |
| * @param valueToSetTo - The class we want to swap out | |
| */ | |
| function handleUncheckedDisplay(displayArea, valueToLookFor, valueToSetTo) { | |
| var checklistTable = document.getElementById("assessmentResultTable"); | |
| for (i = 0; i < checklistTable.rows.length; i++) { | |
| var classValue = checklistTable.rows[i].className; | |
| if ((classValue.indexOf(displayArea) >= 0) && | |
| (classValue.indexOf(valueToLookFor) >= 0)) { | |
| classValue = classValue.replace(valueToLookFor, valueToSetTo); | |
| checklistTable.rows[i].className = classValue; | |
| } | |
| } | |
| var results = document.getElementById("assessmentDetailsArea").getElementsByTagName('div'); | |
| for (i = 0; i < results.length; i++) { | |
| var classValue = results[i].className; | |
| if ((classValue.indexOf(displayArea) >= 0) && | |
| (classValue.indexOf(valueToLookFor) >= 0)) { | |
| classValue = classValue.replace(valueToLookFor, valueToSetTo); | |
| results[i].className = classValue; | |
| } | |
| } | |
| } | |
| document.addEventListener('DOMContentLoaded', function() { | |
| var modifiedRowCount = 0; | |
| var actualRowCount = 0; | |
| var checklistTable = document.getElementById("assessmentResultTable"); | |
| var displayArea = "nonCriticalControlArea" | |
| for (i = 0; i < checklistTable.rows.length; i++) { | |
| var classValue = checklistTable.rows[i].className; | |
| if (classValue.length > 0) { | |
| actualRowCount++ | |
| } | |
| if (classValue.indexOf(displayArea) >= 0) { | |
| modifiedRowCount++ | |
| } | |
| } | |
| // We are hiding only things that are not IG-1. So, if we hide everything, there's no controls 8. | |
| if (actualRowCount === modifiedRowCount) { | |
| var noControls8MessageDiv = document.getElementById("noControls8Div") | |
| noControls8MessageDiv.style = "visibility: visible; float: left;" | |
| document.getElementById("essentialHygieneCheckbox").disabled = true | |
| } | |
| }); | |
| // --> | |
| </script></head> | |
| <body> | |
| <div id="reportContainer"> | |
| <div class="coverPage" id="top" style="background:url(data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAANEAAAUDCAMAAABoKjVeAAADAFBMVEUAAAAAAAAAADMAAGYAAJkAAMwAAP8AKwAAKzMAK2YAK5kAK8wAK/8AVQAAVTMAVWYAVZkAVcwAVf8AgAAAgDMAgGYAgJkAgMwAgP8AqgAAqjMAqmYAqpkAqswAqv8A1QAA1TMA1WYA1ZkA1cwA1f8A/wAA/zMA/2YA/5kA/8wA//8zAAAzADMzAGYzAJkzAMwzAP8zKwAzKzMzK2YzK5kzK8wzK/8zVQAzVTMzVWYzVZkzVcwzVf8zgAAzgDMzgGYzgJkzgMwzgP8zqgAzqjMzqmYzqpkzqswzqv8z1QAz1TMz1WYz1Zkz1cwz1f8z/wAz/zMz/2Yz/5kz/8wz//9mAABmADNmAGZmAJlmAMxmAP9mKwBmKzNmK2ZmK5lmK8xmK/9mVQBmVTNmVWZmVZlmVcxmVf9mgABmgDNmgGZmgJlmgMxmgP9mqgBmqjNmqmZmqplmqsxmqv9m1QBm1TNm1WZm1Zlm1cxm1f9m/wBm/zNm/2Zm/5lm/8xm//+ZAACZADOZAGaZAJmZAMyZAP+ZKwCZKzOZK2aZK5mZK8yZK/+ZVQCZVTOZVWaZVZmZVcyZVf+ZgACZgDOZgGaZgJmZgMyZgP+ZqgCZqjOZqmaZqpmZqsyZqv+Z1QCZ1TOZ1WaZ1ZmZ1cyZ1f+Z/wCZ/zOZ/2aZ/5mZ/8yZ///MAADMADPMAGbMAJnMAMzMAP/MKwDMKzPMK2bMK5nMK8zMK//MVQDMVTPMVWbMVZnMVczMVf/MgADMgDPMgGbMgJnMgMzMgP/MqgDMqjPMqmbMqpnMqszMqv/M1QDM1TPM1WbM1ZnM1czM1f/M/wDM/zPM/2bM/5nM/8zM////AAD/ADP/AGb/AJn/AMz/AP//KwD/KzP/K2b/K5n/K8z/K///VQD/VTP/VWb/VZn/Vcz/Vf//gAD/gDP/gGb/gJn/gMz/gP//qgD/qjP/qmb/qpn/qsz/qv//1QD/1TP/1Wb/1Zn/1cz/1f///wD//zP//2b//5n//8z///8AAAAAAAAAAACvjNeWAAAAAXRSTlMAQObYZgAAgABJREFUeF7cvb12I1vSpreTayHhzNi6gK42CtRaB5TR/TnSVXzjfC1DPc7cgEyZ4804ugLJmXbUN9LtEMcgyujqu5CTCa2V2s/zxgZYPPVDsiwpgWJVkURix46IN974ycT0/7T/nx13L7/x//lj+u+2Nj17Xv/kS2vr3P/87//nU//Hf/1f+3/WP/7n/+1v85rHn9v/Mf7Jo12f/dimPK+P8Q5fHJ6+n7VOsezXbb9Mu8v1FS8Pf9nf77+7u/DgFbffvdvWKc+lXfrXdbs0/lxa/39/TPO0TvOJdbbHP/HX43SY+6L988iX26NtbV7abt21/pjmbd//364ilYw82tSFXvsD6fsrt3nd+ejLikD7rYvaX1+/H2F49m/v1n7+/tNlvvQ3vez6uXd73pBf/I93/Y3znLMIf8KS8nXr77at7dB/mxN2+fqyWQX/befjc5H6O/S19i+X/sdN2vff6oubdkPr/dkf/Zt9YewJJ5o5a18cjy7xst/c9X7+hSVubINS+Zq+iGnuO99X1UW66olf7ept0x/vtq6Wrh23wnfs/+0/7kuKkvac4dy/u/av7ub+gDoUYjpoYL5vW/e8jRri1/qG9FNgVLyX9qdM/bFv/cRqCKGWmV266ohXTl1P/cGO7nNyTUolqaX+61MX55lrzMiz9He569vVX4m1aXMrutvzBiitP5auuHU59pe09cCX+W/zNLv8bmLnoSCkQQ1op+toWubt0vXcsImuJK3vpiTWxF5hReueP2vMq9vbhVdO3bL6NvTvLrFS90AlrfEHdNQ3A3n6Oyz7pfFs7c93E/sybdhYt92+fARd2ccL1o480/xJdT3xvXk633ezmdnZLskDrjCE2vWvu9afi97XV4f6+4bnj46EwPEjFBgcWfDA/sQx+pnxowt7gLdkA7IHpSLU1jXZl7lfg2Dd4rvKuvjzv3RkmDW6Cy+7NLZFJa2qCT2y+cv0C/64HPp6t8ftQT1z2r9+5J8IwtdLx4W+Od1U9T4sZtaJ9jds6AvgJPGJwsW+MH+WPdGPxC8t9wYOirPihlh/3zVcTLPzRYDA+qd2p67ZjgtfWEk3vy0Q17dmr3HMj/1Nu3bYk/aJswyQvi9xLnzF6ti7GRPAG/hri5bmiBS0G44kEnMe3BNHuri1rLvj2eQe16NhuSweg2vZtT3GvmJybBjwPP2P7W7hZf29+68u2Dby6WL4Bb+EdXaw64tYzh3y+vZ0MbofqaZHDS7wOsX+ul1h4Vho/0v9AHUXdxRdlCMJxMFM1GoAQ/C+vOACe8iWFtIVBihTLLsL33diRqAdrtd/93jf7vaopuvrwosv4pznMRjxS7ywwxzmdxDyGvDd1eB67n2bcqWFH2FxuukudheAmrZY3KYbxc0vCjQrj0oAkPu+b9gdlgdEcs6BaDF2tkId7bphNM25Ox76FSjufNkF48bC40KEW3HOYAvsgHL79Sm+jP4RgDd50hQKYEG6bjpdRxuGDSSWioDi0gLvFDcHC3HxckHQuPvxjlAEtLK38SMEmnQ8VDoTYfAkPEexWMv+0nFtPXeJ9JZd4eTKJgJ4uBF8AQQHKv7bkah4ORCc2uMDTlRSfYhEZRps3pRgAUp2u9GR2PTIvSlZP3kXRG/xTAICngR0Qxf4CXACEAOPw+iUaSIk79g8z4qSuuV16bbpv6CjvvJVx+XJP4m4RPqVfxmj+lvc96WuT8e+0raej+ICu7ae/t0wORGiyYMMFpGnwWWC3cgc+CZGQFIGa+BURtiLKCyqGGVR6ayO4qrYna9b2OzL3F8QirUXveftX+De4tBFyiEeoJJd3GrP2gCDaX267zay/uUINp0MBEYkHYl/+b8JFbE1gYYJu8Z6xFjBDnnwjHhXNLQKnUh72bkRwgX2aqhc1ZEwpd1NhNi9270lXKAh0fsyPyARL4wDiSuAQ38xQN7wJlbQxTqxk3Pnd/3NHqeHTS31/zwelES/Vk39HwZzXLGbBxE2XlQGxKYTuHHGaCj4iUW6H51X6kcTiw1Zjd3tah/w6BYeiDtuwdhON9r2Pzck0txC5qBF+g3rQkHCN7i3ng+Y00m0mddfkIdnOxMR8iCgsAFdRbAgFtbdBxthJYajirEzBFgNKRRQOFAD+JKrducDghXr6kWFDew31G6upKO/Qd+9vhX/gkQiAqQ19rYQm+qLVLGft78a4O7vvjsYnBoohjy8V4Edx4QB4iYxC+i7/s9asrCEI37xxutmkaE8DAeMH/WfoaZ8eziS24ANwfB3bIDMGxuYYQZNZMCLNn2OIA9znf0CJhCA8MH2eOznmH+dCUjr0wHLihPIvjUaoYGgontjwh1FWnGgC8JEEw1KZ1YSXreADNsAcGKSxK7LDGvQh3L+mNxKjFzYO4Qq9EbWrqP/iESoaHhRl2PLzgh5mrggvFvPXat9JfcC1OkBBEZPrf31qHIamI3QkAnDEZpt2I8UgN3Dz7eiwYXQnIS9UU7EXcSUrNwkh9QgKtLk8sd3QNIJeKwccd3+e84EMhQaCNpdhM1cQCTHs6Cu3Sg6Pe3v89/uwXNyCM7L3qwPw5Ggdki6ExpwIxIUwqsaQiqxbmbP40TljTu4kzCIcZLpxAGxH9alihRaU0LerkLQtEmCMIJ+mv1/UiLexGQFr0H7wARWDWnt7oCOcOWemANSR9QtwGl0rT1pezehJkI5FqDud+pRV3PDI9OF9+Nr0KXxMj2GRJvsqK+x49kK+1S7UaGqCzSawsoH+CH40N9neVAiQD+EQbCLDyXzI7qaHgF2B/ZO2Oq+cwbxMLF+uoP+458FoCB+9J8R7y56typCVQEGEM09V1qhE1KMEjZCmBYkW9WsAgzBuqAmiMPOoYqL7yzk9VdGIj2oSg2YHBR1wwGQxiAE12rzX01gScy7Hx3+2HeQ7KHJDlPBwIUMIYRAlcQOXJHBzRyLo2qRCOAZeG0/356TqSNe1PUjgGt1vgKh1uJ1C1gn1MUFDH6RyBwk+tFrKOO4MMh3AxeIfD2f6H4xPx5NI06WGrS7UwynATY4Fs7Aa+F22o3IEHFKJnFurwXJ31ZVq8kKDeitCSdZlkYHMsb7wuvYvQU9uUOUhNp/LYlM9gbUVYyGckMYuoD9perocQ9rXe+Jnx3LWXw5E9LBgtx/QxFFCtDGwpIrCQHS7uEGyBT70fAsBnXoBh9SsFvk7VpWXpNDLSgvz20Ag9BwaX8siYAhFQW3QwadidBKtc7smhWsH81nnu4R5HzPuQN4xRr46nbKVPUH4xGrKyJkbBEXTMo1EzZmkQVhGCQWmg/gTSgx70Asnu4BZEPL3qe45/uylm2vGxVnuBTSSR3YXtNaEyRUrCH9Ra4Kv9v31NWdzZePaoh/bpre3goFak5ulK+ACAEn+RFuMXCmr03GwMJlQcTXJCDIWMCwqaEA0gTgR5/sU6qw7U/Ro5wBwwP4ZQ1VdiCtxdiJTpxjO/r+3Z00LDEKEyD2qqFF727SYStNeCd6C9gJW4EuLA63SIAt81VYyPTe4hZvyinyAKPHofoMEvJa3lyr2wcY2p3xRwXJ4aJqmJN+ZH6EPGpnD9hxzr+RIRX9WOJHw+xAhFXOsIdoine+V2nI9VGZoH4V9A7o78j5+hpXGBo8FYvFatQRao3VNTkQEQlHAut0pSnRqEsUjhBSaBYriuPSxCOMEPvoejj/K4FtQZb+nwMEQVGuRUjAgb2GdiqS+dFIYlF7BRckoHQtgAt2brfa6JC1r0osnseWiAtsRayOFxBUlqJ1IizoDalDIk+lcjQUd0k+ZDwCTuSsHd843Xq+X6mBrg8ir9AwsC7pxKbdqSJS8opHC3gnNGBvU4h3YDDrQcUQBM5UdrdamtrA0GF2wUdIcT9/Qqxv3n90+UN+pUukByFCqQrQDUoQhVwcVezWHhBufbJ80OE7b9FP9xdFEvHIqEYGu5CxoAie2Fy0oBHpRyk0YHW4RcAbn9S7+MJGYIXFKFphw0o06ZLgdLVLiFgq6hLpQeZ4ybFkL5P5USMxX/TDvogzO0MariOzM9md8iPdwXIdVJPCB76Gy6ZgJ3IjDagFFsNF1TRK1xwBQtzL4pulE0iMP1EoYZoX0ZqAPwKOVnPjZZFI7ylHQkG8767yI99+T+0D213+iMnTStqv54/ZTE5zvvftkIRADnUgmlPsoXBbWtoX3JFWqiUVAVjOtieghbIpOgCIqYZCb3Ulfleb0/1QFHYcq+s/2/6nIRGsTnJdnAEQH/kRLoT1mIys86Nc9eDXaRTU+9meyuZ0JsJZSnZU0yyASFNx8eINkedaaNBTZqomLHKwoLVoprTB/eIryuAFC1FF7pQQ25f6uyFRqj6KYDokymHS2p+8XYC90Iforz3xqvW8W81m+c/Tf1Cc1Nzi9TjTxFaksoXtsajIxPoBVXSHUNhLpbAiHYDCizDMMIwyumh75Vt7o8oFzkBw7z/7g4kjElkUE0BSDIp28hdkE6Tk7137q7n4ZoHrb/czp/Fkv6opLUZXgtWRS8DqVriMCdlgdhPZJcDA9iRa5sVQbwMWgFIPkBJMQBzeLvBNhd6kHOqojvqp/ocSCKubNDwxG2ah51DCMyFX79YqOvtmvWd4QKfc96ylsc0LeTn/ggCRG8GM5YdYDrjdzPd0JDYcDWFJIjibifegh4kmX1SK7Vfwj1DaXqDBNgJZhlXyELD256tEvMiwaklfwor9UbFDRxtKhqrZcQGVNtoUXVVhdSiJcBvurfFZ3yIa3VRkvhf4FsKNKey0SB0n17rwQqGv8fIEWWGYzSxoSF/DZkH//XDvpWgqEgWyUQbJ587Uia4lFBEdScOVq1NSaPn6CQwnAYsBdynOcSHR3fI66Z6V6VKRiwl8I1NpKDbX/xmjk8+s2JnuVSoSctVQQYPOAFahHgijazgMgSrj43cM0GiH+oL5eCWwYJ25UTe4vq/nf+PtHtVR1HR+UFlYnZQOZkxUs/gc46cIXUDXTHvMCuJKYi/Ec8bGKSvC0hpGyIpYc3mSe0PxzcJJehmEhE4dripKxpeFG3xQMhMNlR2RwBKbLvKFgwpxJZ0N8RaqaYOPx70ppZJlgw2koa3KW+VDCZZsWARlT8zrMTy67GHt5K8iuBplE7LYvIaH9SaTQ963h1mqqSURkRVMUEkX9CJ+IxmqQ5TV2lvXDuufF2rfPTYlGPFvcvSkE5BOIAvLZffx79IRYGeIRTcEXrBGQ7IVqo5gnriIFUiiq7R54EJBwwyU0GqxCWZM6N+/AgOdZWTaCdvSubgUkI3/2kEXwud2+leqQmeBBjRQpH4OCl96kuU6fjoB0ZjOPNKjZ6UTrGZLPywcbibmsiE7smRKW9IgopZgW1oa0IBrVIJksYU3v6kIqyNWXL2HLA1tEfKBg0zTmJBA51H3dt/1tZ4e4tScbzA7PGEmq1o4AX+QQw2FUZYriQ04RcgBJR1UG1ShWoeovhiMLl6XEykLnJAcNs0JCMlNRakSb2bltMH0nXAHMlhal3xlgGK+fLZCN9O8XOd5GUiHa7GDsxC+klvuJc0mfSkSL8pTUOcGpc5QSpJ/p77lApWUNTkW4COYhkhYK6k5O0rrCNN/djgXBOTbK6JyAjrAGSynICY4ilZszvdznR+Q4/QnlxIt4UgItYczGY4IaA6OEIvSQ1I/CbGsD3ZYSlpE4muLT+huRGVeAW6wHfEh0c6S6sZrzFH6cWUM+FHF5VnchqouuJSq2qXKN2EXfGm/YHaUGtxUTu/Xc2rfCNUtl273Siekkbu6NiBBL/YX4hPZDVTBRvAjnl0mzoz7GxXx79LQHPie9ekai5J67Zd/KdqiRIgh1SJPFv5JXQ1FEgcwTwLRhTntsWGgrQcnC1xxIIfSdNGJbwUjySGjIvIchYrdsXrUhDRYDJMzRNGJMEPFO1iHxa0Bxy/hm9NSl4APG41IRp9JpK1BtbBa3pp0yaisjgTZnVSon+4AV3vCLEgtmjvGm1CQFL+Je/JBPZComnBU7aPCBTuxJnx6kfmRIycdUsLsoKnYmwXRIHewpBFNsH2alKSGiDs9AwYyPoIDctDEovpihQGIUEfAgujQfevxqGNu930hp0ZyEbGoFGt2JBMES/q8lHJiPNK6vDfrs96blDwy+cKEX1wjOiPHsnVWztd8mU8Mh4BvTcQW3xc6kgRdy/hUyKoroTwmKUSsVLlOONNMitfmw1MCUn/MIQ2+LdbAGnBwXLJ2tuJRi5K0yCBApQaUovwZXT5VrxMKWsPmoiJjM5XbHQAgMAgO47jjJQlI0dPEpJ0ZIktjLyypQvnb058MSDTBumL+NIxuXc/HSvYuOAkWDoBfUt3MgJ3hVT1MxG2EFADAZ8DEbJTCFq5H/8RBKUs6N6NDRb6KIijncuhkV9XUkij9fvfC0EoWgGrYXr9nqcFtGc2WnvrhTlej6yaYBJJCvkuEopBPEObjSPubilCHlSAiC4vkRC4bW7fQ4FAQ0aYC2DA6X8BPHD7CN+R1KeHXcXelPoiVMhfmNpEwGYyo1sHrKMR9NNmiOTa3ewh8mR2uPVv4kHjvGJIi5cP5R8EuSWyzCYv0RkqcadZSK4m1WWeXj7VXhhRo4ADBwxkYdcLo4mTPjjvTj/iRyVUyJNi8SdJeP7IY0N/3Lw9wgxMiUc0vs+u/SkDacybdiHlOowJAGdu/ejgPpysFGffGiV3WvZWK8hrQDH8uXPA1KlV5zP2T67dRqotEhtbqtphS4EnWZwQDcELWIl1l5qSzIMo161/xJmTqjx6iJCNwpa6VKgdlQLocCYYVHaV65gqxYawU00HHIoPw10hJ5DPssSriNTFU2Njkr1plGDWTkoidUTXQniAeWCd1xdgdGVRF3ZKZOQHCtGlje5R0dvBqAN4FWSzVwoJGglRJUsCO7Q4LYvlByb5qC0Gaou/DPku1nxkWbmRHDKqxkcbvvlBRuzMzC8xhL5kDwACjrIkpnGvW15Nf/yLdWx4mNcS7EMMxHccEBNyULkz5E4/0HdQkDbLgx9LQkdXlAu+N7U8hSFigN3FDaDYCEkCMhDFMBqQXfqQDJRwRT3Fcawy8ECeC40VDFE9mALCvvj/PJ1phPqR6a43kQ7aqs8zLIA4XRYinQIMIw1tMaAUeQXL8EMTf4UaIuaNECXcuH4sP+SImqaiPVnrEfNMziSSqagn1cgbCXyYzIOHU4OwVy4TuTV3+ClddZ0lDTsPkSTBJV09nmUCgsW2Y2TUm8ZsiXYwW8CGUqSKo5SXaw1g9p3GnBedi9cgUEkQ3bPkCvFMLMhJZtYMRQXgh4eax6F3Ao8LVgxB/W7xv7fGgX3usR/O9DekZ9pa1G2TNzvkVhTHEQkSwgeFHpOIuHTOCuBt4wX2R3k2I1akjvJhIDKVApGf5K8eoBQ1it4U0CAiQcNnZgq7wSLKiFMBlY6wnWnqyVsdWiyIUthjSkCZTMQhvcNGYb71RFl4vA+vY3KoyUGQmzmOiib5oiC/U4vaGCZ6YyguJqhYUwpDxDDen5hnyA6rUqS+4jHv9meDNe+BKh4zVs67NJhIZ3wzUgdyT5RLRwQVWGlm4ILnXV0BIQhm5L97F4stO24BuzD8xrHjqs9yIg7kggZY3dzwjUQktcdEEolivs5G0OAQJ8e7vd3qWIfEXjAEko4LCKMNQkraiRZXl8Q6aIuKIDJIN/Rzqo+o1WDKbemh3vkab5E3gdB28HdB+JpFi3PSEi1rzVkeiNg+LJx2bH63mrzuq3qf+tcDbyZPqAbF9MCfKIIDtNT/SlYA53sFBp6QNIIP0DK4qfMcacbbsQDyJP3x/yUgRseVCc/dLYMhcENrJE62kxqCOLKKk3YdHzJS2AL8TFdWnC1EoQjXK/Gw1ULLa3ZDYwc2MRhWTWCKKbESB0hEaMaFH6ipwpRudUs5VQ1E31k+PD/YIC3zhRnaWYde3J3hA6kpsswbCWD6yYQktRenHnJyTRSiVBF3BvHFCB5FyPYedcnKwGF7cgihQOgJDlzgYqtrslc+olsQsjpR4NPCbkEi9zuup/vwbiayXhNelcenVBWrJ7BwvtqQqfq8PiEelu+uMVlIEWuGqUDNZpAU7/agvoGIS8R0tbKydX8HD9D+9KPEIHVv04h9YxXCiikdCCZTTiAlp+rLGEIl2Ire+ZHYkIECIgt5I5X8Aca4TI7O4tzr36epG/d+8adK+9N4ETWwuymhCnTpqyfiqa+kSLeBbJEW19U18D8tTRTk8FcsgKaC2h8W8OKipXtOjkSFRV8LO1RGURnhdIXk18c1FOu0x2wMgrMuBWoH/0chhdXUhH99tKYLkCfUEl2vpgkMBwMRQkOybl9isQUcjxLp8s3mbII5v/VZHC8ZQAakyJHLzFANIMagtYPfuTjoT85OsATMRpDJ5Al1o6Jj8FeDP1Ade1Aq5fIJ0ScldukMjkHeRjmwvkL+ToKmlCmFiSQOi2F5S8ml76UbBOvMSO4vRFW0M2beFOqt2i1nJJVM0nTuQlzxNtzSWsqoWb3uY5g07PBP18SKT8qsj4aujqWZGBTKgohSygZO9Pri3kshrEozKUCHDTbK1zs+qqTlqvk54MD0H34htoh0JabLS2SCwa78ejB+OZTCRPDypnf2Lt8HtMFo7W5XuLSMcldEB3YJDnomvqXpfvNaKqrf1j4IF90ELdtoBOxA3bv3XcdwleYXzJjnCdyZId4yPOp1OZe2kv88nWN76BPt+Mgj1Qy0x+8Ri+flGOd+kxGk0anXzVUcYnUoqHfXdZidYNUGM4nqAwakg6aBmB5SsvJKcn2oGzbcXhKEfdzuT5KJAZrCEDiyaDClZrHXVlJT0nY5+3W/aZDrNWfoacSRtATe3nGYWjHvLVMHxAjtctCBQCLC8BarrZMTtkhQoFzGuapp5wjZYA9jwZUbO4bw3yCQFIpypo/4fhxhTKVRRJo+zE+vb+kRutGD0KohE4t5/xZPICYBwu1tFvG9+JPv2lK7cTUmdwXJQBAqSkNn44Ok3eRGNkjjs9IKmtvA6dlK9kE6QNgDmVEDCiYhJIAPlcc7o/n3sX8jDrweWSgGJWNEXS9eX9JrfjQMMefQj9hlqoB/B2Pk5ntlq3BvaZSjFgkpLKoinLAa+gMQvj/SPIBwWEza8iuZck4MTY8kn5pwCDn4WdNdPfJE0FNo9so8J/mQUXCJU9amgVMWjgDeWznd5uQ2NPXrGm4i1eB6Gvmij5DT6UQ7w2260rrd+UU71SP+ofEeXAa9RkqhvqcCeLGrGjzL3PS8dGuYTeZJFoZnrD9hIIyyxNRP56TCsaMC4F0fCtnVOvGgNeMO2QKdgvqoN0ywNjdYEpuNCaGCv+xfEu4ne5i7qaPJaKiDCf6sjcglbfLxHf7OeTxCpzvsuxDkhFgyHqpJGoIOmjmANI/izulHcaqB2nFMlyRhDgggkTFZ7/aitzmuClFcp69UH+s7+1o2onCSRGLAi2LmNMgZzCVmd5O7SPs3xXKo/Zy+HTYid24cUVekNqyMnx0dEov4bN6oFuuMKbKtFAo5rbFABnAteiEpLSx4DH6EAfvvLMpCH15UTV6ncoB9DK2wfCTIIgdEXuWPMmmR7dqb44yfeKgKt62cRq1EfJxaRV6umAMPE4rQ6ANVwdGWqALjzdRW0GSJpchgDSjmSKaK2IoGRq7KMFwfXlSf+qCjMzNCqBNpd/Ki/K/Dd9+ce7rtuELtfP2pwSUEbl8w2GEMaOwzYZaSh0e7aAOIINRP4J0eNlCeJI/BNSVVLZN0YIVWdAXVAPt8nZ1vYuQ7Nf34pDzqy5D5KJ75rZRVQTXsT+pElFKD5iYtB5r/DgJ8kQ02oWs/pHZEgwbh0I4qqFVrAvNIRO05CXHlDIyNi0RM1BjpPCWMIzPdKRa3wwhiyR6yugpfEu93yo9LT5j1OcKTFlBjOzf9suYQfnvYmSgSkSRoE0PX1PP1bdhr+6GjnNMZOtJaRk2NgLfleVIQfwkbo/fcX406cM4lv+ZEvK6OLL1lyu/ynL2TJYSVfZAvWeXcT1KEMCBjlbIQaChZUFFDM6Y8dcj4VKqwA3hmzIRzlQpCUvVm5q49AKsn6RWPd/sgURN4B6WtYPEsmGungBSVZL9FQymCz6SsqSh+W0KyebJfyP4fJqeIThwJyWKAF3JTsJsqQHwU655PX+QB7lqIRJG1727l8xoNKSZ7LiiZbhDi4kD27DJzEjaxuAX4RpyCGwiHOGkF/e2B1pGYD3/yfnRdiNtuBVMUsdc7zv2plT3/Cd0RvMr51/juwTqzCd7xIodLyoLeloFJSNJR1Bwj04P7AJJy7qYGG8jqfQoyuhMWQFnAZ+W+OTDrhNeiqr3hDLmsm4FxG2BvJBPNsaGsRCBotWbIKxfA4VDeV4iA7m5lgfq6fWT1hv3EOTmq/RawLr+Ph1Ut2lmnStNhcoC5mN5tXgaf9y8Nt8vF2pO4N6KMdrM1OCVFqA7vlk6Z9YDv2exY71wV3Og/F83Y2zHPlhLNRsBkbxLo0ao8j4ZZIk0LZahAr0kAZ25Kd2EDqJk8vsMvekOA4qLJbf0uBmshgPk/2aG6Hzcjx9Bx2nO8CwpDqFDlYBvc8me1JBOLqij54TLNrKV9Yw3/0pgIHpEKZ2pu+FC2JK/iUOEc2QtiXqpeGyuwqm+iq/prRBRn2PpPNwlvlx7yG+CpfNUlwSL+f7X6Fp3zsZ3/EEfAIHiAP3M7UMEXi6uLzOwO+tSJ2vGgDYrEhehKQTAXJ4oRqjCf5gikqCjSAftNviXcb8cjJActAlhjCtif0TkmWbEJTM+PuXjXz70/sf8GPeDctawCYFhA4RfEpnmxTKgiOUfIGYo1Yx8k2RlydpVUSN4rOcuw0KopeLTQAWwj1tSPxiNOgIyOrwId2QDiKBgAC3x7onarn8of+Zz3Oowy/Pu4lfqB3oR3zlOGqMAbjJCvE41P0FetIUQhgrB1wGDczQL+VT8SROAceSeGQXRtXHH15jLkgNy2hlriKhoR8OxTNWsWCM4Jdjqh2wRisQz9F7tpRHuQ4sTXimepCVDSwrmSC1bE5Yh1Gq+66Ei7WTWgsN6OH9jOgTg1heKael98WtjzGXJCJpQEIOtYgMGoGxkoZiKJQYTd1LOCIWRrQWy/ph7ej0Bjow+oGpuUchDgV4FNWx56pI7JE9YDF2u9gjqaJKWwqsbksTM9zz/qX5c/1xl8emQsakBAVaYezl7sLcpknRovuKD2kXbWMLs4U34JFg9WRXs6kE75Yo6NvHR1p2jMZKdEbR6quJZPRdWELZrfHLjGg0pA5bJQk1+z7/jUOhNWZNAgJMUBy18yrRmeAENNo8lP1dZxYvEWGpzK5fD2kNUHRbU2dGJm0PMUJ1FFfhar6IP4glTqiXNX2O/x0hl+zxb6/hoctRElW4Me1lS8Pc1gw6VqwI3elJMQ5xCxRAZSzAtlt4hMVtVzkMuaihQfWp+XYJKSe07wCqTp8CbA6uql1hA0PMTuq7rf5KwWhqIi2SkwgGoLC8NUS9VcOclh2JwnSqKpWmidpAPx1xeDdzPXYiHCgVn0+/VIidS2dwVTwG/wgGmWeodXWDlhAaJ74kfqzzqCw/c8lFTHqjyxLBByswdMYT/r/dl/JXznutKkkSEYNsj27dOSzCa5gO019fJ0A+ivveDl7yZgWaDGI/8jpSDu8DNsAQIaOkpA/Moleq9SOM4gso1lO5ZIOHt6Cek1ghyuVkgbWfR0YGtdNWJ+jtlsVlOFI6miWDEEdMO006h/EJ2vfDhZrUww1gBWwP4t7+wLhAm9/B0+yNjmnio3H2CtQyZQtJy7scAKSRVzdiJer0BvWfcuPQIQUGYRwVVSOZD2Hkt2MatA1FLVHooMnZvDxkQh7xQangybb5CoJjAeCGUUrcIhxyYAVR1+6IGywvXNVJ4kl31CGciM0BCY8w7pvScR5cq2EWimSqsFYMracYzgyRYM0O9vZ/bcLZvY3HqcZzNpmxt7sKRLD0vq3E6tQkUm/Qkm6kciQK9/niEO1TlxRQ2rJP1GSseyrpK4h0aW6liFDYgSYJwPKJIvhiD7fKu2dTSTm9ROCPaTjYhrLSDEFVcoFeMQcMlONf+efkYs3Y69hAe5MNZZBSTQkXFiQM+DXQ78rsMNZt6+mEq2YamQKWkLt5B7J+WZURSwEMU1L9nW9TkNHPSB5pbxjpl15lvPxNofRNtSgjswtSiQMojSk3YUm5sobB00MsP2nMgY8LhqKflgA8HTxMtavHHfSbhmh6RFcASTHnQx7qMr01SpIeC/Z6soNnub1PtdMAAn97Y6mBU6he/2oMY7DvDWUQaFSZkBHqtuBw1nKQPYlLgCR4KRwF0uNjtjevgXfgDr6RymnWtEXIGZUVDMaqTPAJEwxZPBcLQ9+cYOn9uQtNIQzLq3CJkF6VtVVINYBZ01xkKVpSmx29Y9Ab4acZUHEkNV+eYhQdwlfUiE2aoJpzt+iDOkfFdIF7CgL5Q6+S+EktnaJwZsozNyZuDl5AnSvqQaRUH+YbRylDsmpEFX85gUsDI9yHuraP1JDTtYgM2oaHSQrJ77IpQ4FwQuX9tX8leN2X+JyHgid57BWguqs06XN51QQmRBL6bBAAcUec/7072OfgCVtSHsMGGtjIaN0whLl3gV1lECCdw7lg+AZvmkWk69lhqn8SAr2TexGR1gbwjgvKPuOzaEjc0XAAkddzCUEcG7+2FnPggpu6M1NULxAxbIyEd8w6boV5Arfe+vy2pwCx+LsfsPv5YRgo8bDCysioSOqFNTdn0vx/LgzD68stiJRbI59Bu4EC6wNhMGX+A2pS9dRINiHVHWmIwdjIjE3lqkGvGhf+gmzadDYYAOMBg3T/aZgR/5rPQgViybFGYYf4UZfXlnw/KgpmpHgSezEuOb4N6xukVNKeYHzvg4jEYX8DnheIytx7vl6Sz+GFxoPDJMxu7aMcIT54v/2OxqSsCkGWa7z0Z7dMfmmOZ8auvoRwf5bHEisG75DDUtiJ5HBpyokEY8mM9iN95pSq+tbdRT2/rBChRvK+tCVZJD1mve+D1A7CANF4jT5XKARCWQAG5Bso2KXC/n6l3IxloPVlIqib3jm15t7dXjHiZYKcxPmGs6CF8m9sWPeIoHaauEy01buJ3/iyqp7LiovNc1/xZFminW5vJy6N7U6mXeVtxSqn9VlD/ymPFGTtyu3KAhTJcTenOiqJqz/6zUGjrsgtzpKPiQ/TDRSR6k0VKA2Me8aPIB2KKib3oMBVu7c8wkGvflVKAPIVHXvdsuPrNMC7GGqFmplBxtdWPZUOY2uvkDSECvIs//8OzoSuVN8BOlMKByrIQ4SsFNpwI1Uk+rZnQFx7hurxYi9CEU13B5f3XJC2wxPlauWTAbq6sSgd+ITheyMEnOHJpQktWN7i3wPP7Lg9k03Sr0uuI9mklDYmSgdNVBd9fgl7JsTdglOVIHx8GhoXjuNSGx1cyUc1eO2M6EeMHA2wYod7hLc5Jv9vRfKtZbqZqlgSIMaKgUZ8b7aOcphvc76PWmEw0m6lKXVgm1ncNNYxj9WbiUdGL3v+cQ1Mkzc6imVBvJ3gj+Yk42tah1f8ezyc3GN304R00sTmhmIZEj9FNRpdTlbf9E3GYPcW/0gPcKl3oDChh/Z7mMBUJU1o0CZhPQekMbyHHPn4XgJccweMRS6tjZ6UqhmMAI240YAhSqGevf/JkPS7LAR6suAfs7Bc/meG1W9rlQTFbUgN4FUrOueAqEj0BpCSF0ThS4HpOKfTCNgfIfmvKG30DCF0JV0c41NoJuqk4+4iGTZCQpEiJXPYYirvRpLDREHC/dk3bO/DXVVrwOTgLlyo8yRWXTRwUtX5hAaCf3Xi1eRzr9vzM+4jxszaQtlIAyYMUModFQEhiMMOgrKsNflRtBftUTGRwqvf3kFkvYWLQFRmhLLfSnH7fA6PjBOFiZVZZussbpHZDLqyjK+Z4V1GurXDgT/OJxg30GH1g6kHIQydgWeTDXWdyJQRkek2vEjVM42RQ9cBsF7KCmXGcTkCupQpEoioHx5WdgXB5UTDM9Uwi/WZvEsDDAzRUldCUUmqPv1YP2uzU/WiXHCHHT9cCF7Dc4+1gVIErQEpNKSfmREIthaCyIoeW1eZUfs7E1F9Q6a3fo4/v/bg8qJhlcdS3mx/hQ6hGRiHU6EZM6BWU/FQ47r07FnsSZsctWj6SqCm1jHxR3cGnUGHgQkuA6ngG4IdhlosIPIflEqnwz9A+sKN/vP/vBt8MbqDKvWz+DfF6kUyoCGA3ioAOq9WWyI4ZO/wn723C52m22jkg2cD1WaYNwpxYJsd/qiQ0do6ML6snrATpieKG/VcA3AIrZES9tAOtbx2+nU22G9Tj9KHEI/IA6akeNR2DGFmK7pRF/E2dhKXbj/8bY0gt/0hHYdeqdGgNVWZ6L/QgTyTdg++YdIpwU71RleZ5XBKZqwoCA+b1F+9O0Etml1cFF0JP1GP5pNITaqAvjAblVEoWvOJ2e09enfmISU1gHBjeuZHRkE50jLbXuzYNWkEvB2iKvAhZZ4p7KrIt8JSPgR+11+FNAEZzKd+K3jLpKUjhKSkKSia6bTjE7BBE6445bsKz5AIvrZPh873L+eSCfUEVUT2xPBOrPy6Kil0uDaUBDsSmDI9TdW+XLRxUXKFD8iKnumfvrDd9zIzwRBMdZPr6Vio6vl6Q27MTq5l3OWIjvoAvBpE+tJGiQ2M0oTznABvzEhsQ4+c31qRzEALW62wRZQQ0nBDK2OXwU5B9i5Oxe6jN8++EyQqGhlQ/SXoJzuCmMYvCElITIl22ESiJ4hbcfbRwYRYsMZqBJXuU7jwuxidBY1WPPgQas6irs4kE+R2NoWPgiljZKiIZ5/einF8+OuFCOumB2ldpJ8ABUnj801FEknuu2dppk8ncvlT42GedW3vH5iV2UGvM5xU6Gu/AhAVib8CExTtYgTHTVejxtJvClR5aFxIFTfgm/WGDi4tqXSIusuVojVNOpCOTWoCiyglb3VYu+1xesfOms931d9q6/rTD4oA/QSryy8JZtoif+TNfBYkOhNqMmF6TsAhQekUAT0FQE7/niub9cYOOo6vmvRLlSbtE8nQkXQBUqGmfeuYTG8YHXS6bxPACdg9AXcIzd1PRJtgkH2VRfKbutJIDN7nig7IizI4E3E4E/giilANOSbBL9/IFESpGbhPc0W5SuXQkEYPPUTyevMUlZ0ATRMp86IjCqhmt1pcSKm6/BOlpasHBhWTSZHEEj9CEXJNWoGkktIIIyAg3kbFoNeW+qz7NFLEV4cucJXH9qL/pog58FwWiaJEeVS7ViXMnttJTr6N8bYrzlf/97BC9JQqDG2VHRVE76CR5iQYXmz6UkT/Ll3kp3YHbsImFh/iF5jpvjzd4FBPxrPZLK82SqY68IpsIbaYQ4W7CjNEVTpNs5Pf3+45kfzGYcD+MF83C8UiI0N0mW/qXv7VCarfd7Abk32CvzAm7Cf8iKO2oXvAsOzujfswFKFECNzHTpCS9iazqQPrVxl0Lh9S1/W8SkbDGp1rLswDTwzdoibA3JmSSWM+21g41TIRBJrgPaiJWe+xHSqobzE5GOEJLbhu25Ude9qtFTFAVXDwK86shZJmoSKJrmyo/luMjdhz1gD2J97/dpDMhyZs/ObNxYEjopiJQ+gjx/x6L+4kB+hiouuY1GqeMMaNf1AInlcNVpScZiQSug2PwpngAW1gd19Bcu4vqCT8I/nvW8Z2nBsOmAuptUfhPnBGxo4qjdFHjWO4WUGkpQvWNdwJOsFzyhD+6GKMnPCdqgd6XeSiEC3XU85AzwcNsC7QVWtmqAYjOZ3CUgs9bNlc+Mz3E6T05fWYXfof9TD45SEOtyliJ1+lMmBqdyIF+p3vuq7BzMnjhqrHctAFFWTAGJjxRn0I1s3k1WCGQK0MgIwP/LRgxybTJYxDXxombxYV7JAOjFyWA1PH2eBqsTGBKPVIXZ1pSVbbYatlqru1zf2zy9EeHFw3QTxM4HIKhB2S8qWkVUf5Ud4s4xoTasfbPvYuf0lfsTCuPcEPhRcaOZHySQCdsgDgF0sX5eOCGzqAmsB50joMwUxmuW34xsjW9eDz3qDM1hhUFHY2pRCarBOHUHS+A7ezBTPbKlhXj9AanfnkZRP7fc6Ih2HYF0Via19FzDg/zufQW/So/Kjvhc4KZa6mkqUhnyW2X2rSV7HHSsqsEtwnSJVui9g3USzxeo0rdaUGvjICRf0dOBTBo++JVC1Pd1LlhdpEAacgYZGgsTTP2bkvDz0YKRHiLbWPfngQrKz8qOb2f3I6rRVn6h8Jn1NaUuoAOtoL5PAqp340Jq7Wfb3J5O4T4aUlZ3+XaN9NHmlWVugQqy+fAjw2tQShQ1UhEr6Uplhcx6//7uS8pQ8qqQasONMPzC6YF1iUdVULeTHj4J1aIo+l1DHplJqaFyOzWOi6WKGRFxhk7M8VtOt0Cu9fI54BO/GgrRjddT/J2+HAc2MIKs+KZAwDObjSQaCH4F35usSi8yTqMviL+Z8wDjyUOYwuq44FUrrkIBccy4GOTi9xzbuHSKEpU+5RqbIGM8yOx5U+pGTU/CFeQGvld+IW/lu8sWShnMbrL9bTvW4K5wDIIpzQBpgjCwnuCdrAP8EvxbZoKr9BH+BDuXzls362vkDfJbioSyahTekGcjAIxGJ7C7ORFlZf5m8bpfzomBpnSaHGNH/1y7d++KomRPXLXYmI8GTHTuxaMLgFtJBfxJBVmxNMbpdn5gucCMpUD3+e6ZUaySfHW+xOfMwNcQ6EdTq30xL7dpYtlt+vRLEMqJzS2rJ3fl+AtuwOsK0W2RN15QBbAtDFfakqGQT1bm0bjdTpiMgdVl/92TgNVy16SOadojWdK96y+55OID5I5KWH9FUBuuAUxIrFUdJtTinNpdNWNvXx9afHfaP8KVrRp6BTlB7ZTsdx9/qesu0TFNtOM+qanlYH/e57aDt4/YIuYCresc3F80bDcqgloAHGIeuyFfBxFti0NrgVRTNjWFaTEFd/8F3+iw50j+SCNtyYUtIXi+8Z90WVcvTkYQ2FsFu+Ul886kv4v6c3nJ/6wt9PmbRLJGx32xtwkqAIefXhDBfU1gqy/4QN2LsyZ3AowlgjT8jdfwR1Nk/SnslmcQGM7CwhI4M/0KEmQRvH6n2tsIau/yRclvLG7PFB5wmAw17BgkwOcxpP4zOZLKK+chkGz568NabddNbf6V6E8qVMPAjqDMeJRQlDFWbXAYOlJsQCXYEUHtIZkrd6LldbNfMpw7kTNxJN/sbnrztk3VvwN7pCI6aObEAhxPRJVImaaJGt5DL26ax32lQYlk3MZ59CsO3DuNR/K+yPTMhGTg66vtEEWR0JnaVxbbcE7ufgGvmP85nP1gMqTt8z2BdyQRimcVqb9oerNRwVMCAwBl1mowg5B/1Ir4jMcsTY/xeydsD7p2cLzqaEAVUgJqFeENhV6cFtW9nOxEpOR8znmcqkiag4NXp4BWnyIR3VnAZAckdlzGYdM3OJ6zeoSlDHE6cWFLtSMWKVJHPfrbvV0048lnY8iCtVtCk3JBRYqt1yf7kQrBqsA6RHr1PmtdjH9oviesWsI+CHWBW6qHaiwuU2U1hDPIJ4F5HLEyDBUdHOJ7V3VKRW7P++xfr/+2Rz8KGdodIVQUIjcG7NxKLlBqaZdVM367GJK4Sa+0Tl1BseMZmbWhPAwbwhsTs/YFruXEGemP5rjpKZkVA8tIW2Y+jtyF1pR9ZU5vrY52/c8C940e6EsZQ3LRRdJOZ6UeKRbRFrsa2nn7xDHzIydEb2uEfXTtPDHs7o2eSM5TUiElqCJSnI4VQoSC4o/MZoN1sr5OgHJrhawSH1Yb0D447YC3zNzKOlFEUAig3DiGMGgprVS5WwUcse1+DrdlPsq46zf83vViwAToTYACL8aQ4hd5OLIiOAjiYFu0D+qb1wi6BVPOKdfNXbg/0m6M+W6eqkIbXciwc6Kaj3FmMHZUSINdZ6db1ntv61vV82NRn0lN5Nz2gai0TXRRIR6K6jjDqyFaLy+4/geuN7CjgQK1tuNJrjjuNdV/PIDZteHDuuY4cCxK5UROgti5+lhg3Qmrjo1us9Dl4ggnBG4J2wALjCcpk/c2Yi4pjdLmjk6ZXlGG2F41LxI/Y6h8T7yZ6y3cH4vHeBv2Wu2hwgQE6SqbnxToi+Qz/kXu30586E1r/mGElY+yRX3RkaZ8iA9KIdbgFLUvPmJxP7BzVIECD4myjEkRKH82pIQDphzx1cO8wIRQzUDxpUuhDYCJZEVaxJeDPH+PT7XHuIbbbB/VrFtftkQ4fBoeaUvg2HFVAItVt6XMIdiisSIMlVb/P5A1WFzfSk3i7Hx65bmL4EbbHslmybgSfUUcb/gPSUZLLmb1nUPej7aHbnLHcsYa2nI6OjljAbg5nitbGIr/sgQatV/BuLFgOJNb5zS71HnphZSlOxJ/vDTLUkesmKjO30iUMkHubHOFIJEzCgu1Fu5bKlD7f/Mnb9HmTQbQ0T52UoyMmiVNOjdFhcdlxuqEqwtVTYUrgBes2q3XGI3wPRZWKAo4/PJLD8jrL3MYlynY1p9ro5TeqDcn4JlZBXMeuYeAiBOD9USdyWPX/ekh+pBPSP1Gsaw7La6fghdoI+2XVUItMNDiV/0U8iiP9MJfAj3QdnQgOZYpOaa7Ckdf3wu7oHyGMohAQ86mdjaGTDhL/oGhMvQ7OcCAv3+NzqXGx3TTH4kqUiQQI9lwbXmyVA1Dzgh0kobDed41HKvhHGTlHfc6ytpc0GKgmeU04wgjD7tj/qn3H1huMbvajDTZIQ8gMb81ovjNlkyDJ+4wUNuZlV0VRU/YxJffFE4AxblpqzsZr9KH2inSvIZEFF8ZoAINw8JU0MDqqgIR+oDhx5fT55l85wTrPT/1F3KjB2ZiZAQpnTogpowKyZ4u/5Az6UX0J0IUJOentbYmlDJvjOYi1Opv4wyN9WAEPf4pDEWhNxiHfG0mSTWWgbmR9RpCUUtf18OQd+egizQhzsE8oVy2iStlkKAncoSNffsRODGzYuFQeiGRecEaP/joqEkpKVd89nvVhiy7zdmpHpAvW4UGwBX0jWd8uF4lxDpt8uZ4PhnNh8CRl4m2UVBkDiEAZ68WzZBxAA56SVoD3Uy3SgDcNnepE7bsDt9fj1oeVH8Shoh2RTmKnlkLoyuz0gAzZ4U/9W97G19rbjo+MpYR+4ZVLUk+UnyCLV8BIghiBBgJZXSHm1IluSiyDv5QfoZ9X+ZGJBOrdwaE0Pq+YKKQbrXJKXG5nolH4Dxe3rGRIp3vGIVOI6II8EY5WlI77JyDdKAPvQcS+pRJqvCYgxz1vM3w82RYT6bbXCQQygDDlQ+goF6HaG5tHIRJHsoBSOV8WQhOWJOJvx/Y05y7sHcQmhoOSCddttxIWt0lHQTA2XN2zOSuuH15HYZXIpZ+agLLNQ0OUb19xjM/w7RsymTO4f5yNWyxdW+WGIkkdyyjIa2cq3TOfjNY+sEbemOrbP+GFe9q6gWgU1fetsCHNHEEdqMM9M4xGTo4/C3c7q95GRnabmPBy7V8/zI92tKUBAfShbhYioGlsMh21ZH0YdyKEaHDSLK71XSkJcdUa1rZf7qFpgBmTDMqEDVXthNozkuBg11OJZgyKw4lUnQXRrarkAbnX6UgNwb8BgZArfIhtTKkhIQktgXOwApot1vRzXyeg4by3LxtOwDgh3pbWY5zIR0iDNmQZoeAb0K9kAi8cppgMR7PLq16RwLYRj3aWUy1pCXFGXHUkzNHlK+oNfhFheVNyPk2h50cf6/63XCC2MQ8OfKPatIhZPfulH1leVw2Rx3TCdWP6+BBmN2M4MJeoqAD8x0fdOxo/tjgGzGl8l+gIF2sQccCO3GLF9bO3XuKCH23Hx4k7ApgfwZVOezBrg/zKgmJ15UclzYiwOFKU5EjnxA0a2CixUtkDJm39ziD+s8N4ZIVuyl0ZJtQFqvFFCdBWuZHxKFUGn+VHJ/gJnzkPB6I82tMLo5E5Tvl0nKhIA4RLFSExSS3oTSZ/VZEXklB9dxPQ0muRgXfh9HBudSR6A3vqiEhLTzFuVK2jKa7M5K1+NB/4hDHsh7pol/+cpmNuHZBL5bGqAm8r2WpHaOBEcDqirCwongTO6cz6EFK9hjEMpmo7Ql8C6GQ9xb9hQ1bkcSNUp5aaUD3f7tyyHYkWG1oyLB+BOlDSpBwkZkkxOpCBNasidL1BCY2kEzc0sGyrB8aZC00G4P3oGMggbyei4jeAdmEdTkO9RDeKDa61uchGLbxj23RyF9lLHKRjNpEgn38UHcXmRoTlndihYAMq58WTjcGrG6UuqqBxpFdBHTlsGgAufyiJXCs6Sr1hXFXOE6O4AHazN71VRx97kIXYbaTz/dW/7vAj1aP9z8LOVUmpMvDawjqiOT/kCl9xVO1VqCx5Xqki4hEWTyhiSkPmTWyk5MBQvTCH3cm9DUMN8lBaygdadmmonSQeASPbvS2x/qup91JoII9VSbD6YXRaHymfKoyWvIuv3aVUprS5/vxfXq7960fdFUT12AZDM5wn6RGMC1Hn0VE2QXJz+z8cSROC7teHs0ie8fWzBdXRP0p9S/1gfCT2w+jcGNRS7i/WIRTYJrPj11Xga2oMHKlusW+mfXsQLlWhFIKMTF5ak45yEiQWgk9xIR9yfGbbD0aWxlTZwdtNJTsyHCFUiwHVAoWW2F2gE3EZsFspnfAozkAawkvZiNccXg8rYONPqsjA1F+vjlacyLBEMSgTNGyjymFoS6v7gCOfedsVoN+d5oyMiJJKg82poqAdaTkPJA5YigzgNy8Fw7FU4lE8DIFfrv3rx7hr4pq8D52Q5BusHZCDVeJoCEWlwYjUFg2m5WYaZLHnPUgOo2hcqnOwjoOO1lyAfMU6HclkC5KkUOhczU1Ug2oYTeJksQ7dIM2brC4AJ+NJaCqsg4knkTW0y+x2OLKzDF424RZ3WveRK04YcCIN6Vx1XGZQ0QiRstnW1lWa4sxh8zc/qmE0JzU2jE1R2xv8iDQcaPPaMAvCljbEugt+nLAE/PHEnTdgCHtxtHP2lvITuTjIPHsdyAGjky2KzzrSMJ4pvBuExvQaPnn1I9EuLTHWwzrifa+p1XHUZ/iyFZIFvCdV7qEj/p2MggwhORL0UtiFBnGaw2NjJA2kcg7rzKZQNMoEpN2tMjxMT7gzvLaR98rrGgms2mEHtZniddtrjW58hq+hFe7u9HriEQkBRG3m+0AsfEjEM5bw9CZ8jdIWxe77JnluMIxjN1xniRWYFEh5UBG/QtpVKtIx4/eGIwAHO7UQOpTaXu1GWB3KCf8xg8i/ZEKbnXJXeJEi83bBOo1lTkLR/3XYPvPe5lBU+LpTOQy2QlQDDOntc/pmrue2ZGNQUioN/TfAhVysIzxgLOVkrzuu9Tp20BlIQ60l1VEF4uzpLc/PqBCWwwCXjnSePnTi0N+bkES54J5C0o2m7sclVdlzvJBwLTakXE61zjvlh6jKB83dypF+PGxSx7Veh1zyE3MJNq3lggkgDi+6pHIiFRIVLOb/okACO/bVdWAlJCpiYaPQMDinlgS27DwJGnf6w2VbfKRipx+5klhee20uYX6Ueh2sw+J9wqwUBoNb7c9uiGO3RaNTCKzF2c7G2u6ZXbeBJD4dbIhZvn5GvRvGA8OBhGB0YYdRkeMMnh8v2hhzTaGB102vdaPU66zhk05clYQw1rDN+DLqNOvOeIqN2IByK3f6/ZOfONFoM/TXnGfv2+L9hdM8CodBLMgiGspoggbNMAsr35jJz+dNeLOgqx+1b97c7TdH7hdUrhPIJrXfixGgL8zbsB7MTVhKak5KWynf9vngTdhbRdn2AWQU6eicRLABdnZb7HiIdlK5VowBljCxEbLV+JGb8eNhkzrukleJlNQz2TH0k7Ij3oQKHbvFzcwQNJWgHukP/zkdzkdnv2lNUA36DCTXYD3CWAYpsBOodRUjAFuTAXarN6WhmeL/APBpaPQVx51ZUSKS/X9p184PwMA+AD2vYUtbj/23BDnD4LhGWePrIZbZ/w+k18SkPbeyA1U0OXMDOZ06mhjbAtiLfJtDImr/GYSh79DE176v/B4q2l6bwLaBDEQkgYXzgw/UuMyw0Q7uBdiGfTeyPt7WSJvKd1fPQUFlSmy1ubxgl/yIXy50gBjDgaqmKnMSwQVKZ77GtO6W6MVLX32kko/pVTrhABg8RDLnDVjAgpb0qKh3caA5l70hyuG842IxClUzV1qe7Rlib+ZHwPiIRzwtEsXuEIrT+lM/2dIpmgSOFOTb1z+H4esHyCDzrgEAqTGLCVy4namasFo7YeEtygFbUDI/lGbjQlIK3mTxBxATQRJki5wlHmEDmpyRgAnRVhpkpBrYng2xFjmCJa+GOjnD7AhOwlC0paJIHKA/wMOaO04UC3ouFcambC5X5q0mTiwNSCDIylWxKn5C5mXOVzoyTSRHYjAIvwtkaIaYnsWYV0NdOIOWlwittrAuM7eWqbSMqSIVqZ+l72YVqLVTNVwoHj+CytR7CW0P7o+xvzKkFldh3xs5HzQ1GNPjke4/wepUzh6UpP2kO78F6qypSuvSQxLxeNM1CZLXFzZH0fAPYijuJKOOau5ZihfvdEtzlpG6Vg+31GjBtfhRsEHtAWn4RuE3u2FREx5HZhNYmNMiJMb2V7zZ6tRF+VF6LPiRhQbK4hA8IU79GBArHokM+xWUOzKlz48sY7cDA0Sm1j7FnfIidtyAZ4hFrCybAhS5niVzdWQNXlb3zZsk/ubIp0ASJKyNScFziY6UiLe1XFfIbREOC+Ad2d7JBGnG/bgvMVYP59jOiIYUt4IditKPjAtkXFocb0ClzJ857o3JrTi3HuHj9VBHTdW6vYQuKR/MBw3N0RHiQb6s0l8ZUCUT8/iUqE+k5Gc4mEF2Wg9MBgnBhXW8ka5ClObVmCN2S7EctKEMOTGhgdoSyMhC83j94VyQMpnLYsWCgoPEFIMqtU2EBes0lNW2GCfwQ0EWfAxilzEabmB3zlUTpnyU8QWgcAaYt6DBidQTSZWv24HjEG/EwVbZ2vb6BLaV1SGL8+uANWZBvU7WSnsBlKh7vc0WG/a2s2Qx6yfP0jeXjwBAX1yCpI5IdvAFSUNCbHEGmSpsu3zR4pK3ZyApy9jthcYTRowNiw2vPdJtcXYMNmRWRFqt6TmvZepg1EBPqMZkCVWBYeWy25Hpb0rfSt/BDkghyBbY6UQakTiwcmrdcQZyyDG1LouqIRJhZ6hoe3UC2487CxTFF6THpi9EJ/1IT4JV4Fq7MbYVWGisCMLd+LAJPzmWeERKsAfssFrUo7PoRPEjS5CSb02PmgV3TURJXvrvdzEPhFJFr05g+8FnjyYRsaIvZWjWujf8SB1N7mMjHMlZFSXXTjTmH71V56Gd6ZGbSjC28gR/bsIvKzTnix9BrAJ38SOjcpqWBEfmVPmuV4+OcPQmP6qxIFVFoKgUEw2VjlBRkIGiSWnKuQMtL7fqPPd93O7hsLCa/tJfRLowb2xaeUZE0u1dOa/PtcGNeORMfp6saGF7bTC8+hgzJ0Kd3QCs33qDshCkyBDCvU2740wDGvg4SCSjEsR4PvYDa3hE65JOIbFhdqWiAjoAMLYrVc0PbfJVBLPhLVb9h2cr/tExZk4Yqc0/VZLkrlm1Wyoxata9byU7xODvjysfGtrX+Lv5Q2quNm2P7DFEyLpJV1Ur5oZbAMlYnPImNRHW+a25LjIADSlWgvb/eLns7xzXmRMuPEsSa68Iyi0hgrMagaFBsh+qdlJvy5Ct4zfo29Z/cjeuHelE/7OdDibllfEBxllxOANO2QZn8Fro3DAIphoXQr0h7H0f/vRi1d87MpPvU2uDKcfwtDhoAuBgcY1grgfhKdgiVvdYtZPH+cBtW/AFL4qhO0HppGhQAtKVM4AHlQdlfzY1aA0+KSxaCjRgyi+X/Z3j+nl8+E3lsfwTHcH4zVZIMS8mtPEg0Uha182xrpLns97y6dFqaddDLIReLGtityvTuKxmJGAXCMhR8+GjIeQ8cDxL+a8vMjSQgWYpqSIZjqBnKd8WC8EWb0p5lcxLXB2r0Km5PRp/8y0Gpel1QO38sN/kE7O/+owzzCK4KtLuNqkGludtQapriW9XDvuWoyr5xmcrQoSftJbxBuxOBpQYL25b/dYBjEMFZecH6kKz/XJ01FVmzc3SHKFS7dQXAFSkC2uoAqT3ObFGbFDIepJ7vuHgc1smQviWy/fkDKZM4d+b9k5+AYKFhq/ERMXpejkRzjUpOKuVBi4tu/CDmoGMhtjuCkVaAobnrkjlHUZjd6l7O+9NIk+5bqVn/YbjzppCVbhIkMA6g2z4t8DnOCFYVz0+OJ45Ou4EV8Vzzwd/lHjZ1fsZ4IRrhNbBwZvYQNmA87orjTqTNudokEjnoJN6rXLdGxjD1erAGBMsyEOwjsSYCUiLq3bHwxnM2MkgypmWAjuc7yxhomRCCTHhKF5U3aP4ko5pNCp6iCDqj5QvF/83MytseHoLq0OisDqqcgE6gtPMVvpf/q1OFpQFygF0bK0amr1Lmo/zU0eFAwnfBMALduA2XqSGRnDZ7LSACsGTNYSeIIVkmxbAmfPi9ibmjR+pmODCXCV8Z2Pl25ahVpZp4fta1EqeGQCvsup2z2wQxS6nlS5PBNQwb/2ohX5jchNP6ZUosJEbe5uT1PIHaPDytzJv/AgfghuMHEno3qjPIYWX6qIYvKhxwR0UR9ojsvVFPa62lKenbpEHEGvvFdjtoIuKdP2F2HVksu9vkCglXfSsoDSUKJ8KAr5TzHwbdsu9eZH2qqoSXSMZJwzakc6EfbMQ1oLhRzcPsxemPN5DlECsTR2xz6avUZJ77sqBUF6sklWSRaOEKkr5DnVx5UQzrLwNGFrdi6Z55Wi121URFCLc2/wBNyLMJxCpIcp0s9csR1cbUdXKDqLvIONMSkdJKRNLU5HLnC/RCMOl65RLW6r3HyYEerfX9/1z1L1ogCU5uNVuPEf8Tn5kmmR2njrxfsjgYsjLRYlp18m3MueDaFCHro0uMLeKsqaQGLiRYLXdJnDLfHNhYtiqDjG179wo+itH3UNjqwbStYaS8nC+h6osr2Hjq2hntfsZ4DVumH+/fqaquqNy0gPSvdeBanAYXokDASIM6/wxOUM3mmPSCWFqJp+d4DKDt7A6s4kQ72QN4AMXUKwwFdjzCgmX+/jOKmo2IkWQFBpSiO+/+QnTQUedN3A9iG2taw1SRxLoJDYjGjXgEWVMeCBEiDhmCoM+Acw3HF5X7qsCBlUolgBZajDVswSJbqwEEeXnjHYiFOjNv6FNC/dgV0ewb+QIyle3JVEUBNQ/45CcNF3LDBPn21Jv6eCbsqPBvYsFzWhmYy45yZF8Aa35LzSFnkTY6EW7e4pXrfWhdjMEdwezAz5lqxt1eT1JHVF9uRWJ+U+DrWZ+nW8gEDtRGd+b/SgMdXQlRlVfHek8hqVox6BbQdY31moGV+2/wdg3AN7tdneWD46pE6CrmOqU8QxeoR+ZVIHrTLChnNweDfjFv350w7oXhxmfxAdvqvayMJEE1gbXKlHeV3/C6WUAzxPE8nCN06Gfg/t7Z4Dm0h6ghmum6ySeGp8RDrsdfdit0gm1CH9yqwDKFBrexLxjdSl7I4vogKlQevIbZrbJXclHtTrh20KBGH6mxss/ugt16kPhhCm57Wkl6FuVYbWTX3UmwhHMIdSOEGc/AwVeoHz+oFoTb4U6uTf0J+HMOYZkSvLjIBzmt4rYWp2c4YZ1az7trZOGHf9x3nt2Nnqu/Cj2NaIR9kVLV5srqwvSaXf5XGJe45ba5XvTIfe20dOfCLWHl2HrzgWZG8GAUFPoj6Wgqw+t88znTXDVQ2Oy+EAemlv4tkNdI+bvRUsKhZ2jcd1/lS9yAjsTMih1NOoMb+OpSOR0SzIjMQ6d8H/QoOXyApa3WQeSEITfRbL+xkfRl6WdWH5KLNhx5bAJl63Am31rMLv4ESJRcMaHmtcs5GZBucY3o1tvO+7YC9ichC6dI2WCxxSRg3Drq7IGwWHFuAoUHmnv9cf5dw7SYFQrO31mdiTmZu9EL9JbrKfCQ7S5xhtUEgvW0QggKBsgu/xvgzrnVC136zowVTscXSakgeHNODsaIkEieAgMWUkQwfsn7tb1n407B+0hfw6c+GEh/J6qHE0+KmnVPAp6L5VPdHX4AbFrPl8w3cE2veKWDF8c9CaCc7oOQtg3B9+wQf2H7rhuNFfxGxOrJ1e2IBeLeuDe0UD3KlqeSRGLAYlaLJsdknvjnp5DgiprsP7odfKOaZDDfu+zm75+0JtI5TvwL9Cl20JJRx2xh0R4s4PQf1aBIA09fTQXxPu5d3SjayJVXY+zqsnURVwFsdYgndGAp8CQq+S5igTY9pvJYd8IDOlN4ERyH5OxpEjJkNTRcCTvI5ErDCArQJRCnWEBjY9mJ70LrUPFMziK4TXI701NaClIF7ODEYItZuTWTMSSTFi8FRjsTTjynZtRigujzDVCq7VVTd9E2tXoSQJDu9GgAx8/utZnM+ymE7qPvzU6FfqR5A5pA3Wch3/OIjt3drjWbQ0lb5lxytGzCazOMiT/kOBxppmwL4uYWSJ1u2ILYm9cPtAAYojfKO737DeZ6AWDsYxvPwjoEr+xPRM+9DkghqhMXxnlZjxarMNc3iyR2oBgF4ajDHNx+Rd3Vs0YMXR5EFVKdZLw+NF5F8Fol59oJmFFfS8eUclcwDBYEDxILpdopJISdti/hWsdFMlX6kpvPO4SUdEJxU5K8JwIPpcKPuU6y4U0zpGhDAle5z/WXD3RkeoRhnaA3G62YtsB9fAugwMJ0byF8wPuCH9COrhmeZ9LE/t3q8vX3pYctSsLgmXHe7xogjy2OQ2UKXZUkjqDdAGlYTDlSCd8CPL9kU8IofAvgvRwmyzCGxNYrEdPcIZuCFYyxG9bfHvHPLwQm6rJaE+8GRcGC4Ii3KiQ1x9ZHgb0gD0a4DIGL1Ik7RYXsLVmd1KrY6ThoDvwi9N2IOQ0SyC3kXzRi4ViySMemR8RYTG7uJZzu9jOyxX/6GAuKJN9KaDY3TNDTyaR2JrcWsbWtD9RwSsuV27HEKvrCRLNZWIkr96fhGF+E053Zd4VX9cCTM4QIekrU70MpKOh7gVvaSp7BOtIX42zUtT0jvjbVDalrWmkegUJ7mzMThO8wOhWqt0ELzS8+Mkaen/yI4BCRzK+ljRsgMTO/kSX+FK1Vjd3mT5/ud4fH3dSIF8LrMmqit3N/A3qyX9YwTVDajRIAnSzMcjHdD526oNRQlS7UOftWQep4pH1GARDVE5lFqmSCL6kvQIGP6WS88YMNrxOHcFXcdiU9IXyJEboCARnM68ZUhxIoVZvDuJw5/KwEmZnOiZq5AGmAXSDW8WDoL/m9/J5jW7UIJ1Tha/melj34K3hCF4HmoIqmdMgkNjgwxXYboRLdYuIhEU41lnRyOMJIVQaAZ9wCZlCO4gDauFGZhIoiJCHa6EHTuMe4UeTXJHCJRVaY/JbWR3IIBZQtNORsJLNqWgWRFylFgRmTyDSuPqk6HcUxfCj0w3nw57ZICoNEqGnfWYZLjrQIAxY2OhZ1AalzjCRhpD1Yaybd6nC5d543FlygUNJGlCUVyfyH8KtHWtEkyrzbmV1TXvLV60Q8fjGaqUBj+iQrbEZ/jOYoJIm1AO0qCT2yKL3nmxCaLC0BbZP8+++WO1rDrIJ8QAEt5yq8fH/luZYBgAJhw5Cwh7YW2JQi4a4f3RjuSfy6COsicpJX9/DxI6oD2CslOTEI1ujI1WM1RzJRKzVQb2pb11+fEfYlwfZhAQKo7VNaFVIaBiDDDSKMTnHAGgsqquBvWjqF0u8M/H1Eby3y7d0CTU5rwZpYXUgmid3O9QR/JcEkYcfCRIxSRaZBnvrYb2uuGrUFPOD5YnAoWCTg06sgRw6bGGYnFU622MbTnYgjqHqfjaIXUKS6G0U9YvZI3lqNgXFJetjo8JVwcc3tsk9vK4c7sO7bIpDS6HQ29BPQkQBQF5HQN/NJhQxOwxvgAR32MlHOjnKODFBiO0kmwiYgUJanvAZ9IZXqCNIz1R3jjaEvQfrhLlrVRUiTiZrn4FQRAWI1S+xDewOV+q/lmKoqnKIGBr00Xgk1rEbi7V9dBn0jtnt0j1SQ+pvpkzns+7egn65rdj65nSvoSPzPRthYQ5oIzZocBK/b7nRKtSR+FnHipoufMVTPh0ZhqRxgjMu0ycyA6TS+jQ58ZvwEw3N5MT0ngQNg9ooqvKa73464tcP5+tgBSnZze5iAoH9cwvrRiKcoXqSoFUJoyflBvONcZd1uwcTd7my5aN3aDD0iA5CnSyI1D46aqAmJ1Ra/Sozg/zKv411vv7InVs263WpDleDL86EZvCnMc9A2aGCj8gQ/+EiJLlad6TpaVUcLtWcTkeWKDBIG4xHkDhSIzQ0zlPX8TGv4ky+kCGTefORezpdMO3SkReM6kIktg10syrEfyA/1IqbtYU2gqy3TNTD7/u6jg6i62XnRhNCZwEgoga5NuQOD9QnOYk/tI+WrqWvezurQyJvdgE5ldCZy4INMTnrDbw7hd/UHtN3CYOLulY+Lojj8nRsFwCu2w3KXaKeGZkILjE6eXZSrtAQSMNueJm1RzYOWra9HerkDJbtS0mpGXNtrjRC9YCkwpxcPA5UxjdEokUp5vXd/0AZyVxvv93bJK7KCQIJaoQKjG+YV6vr+KhCegGfMgG9L5f7iiMVSNJwHWnhjTJqYp3Qoh3fBPMshge0MY5nvnSq5vCJX9tTObER26UKsbNyEoFkBmhJi+YcYqiR1yJDPkkVnkrd+cVyX3HcOsuW7LgUHDtMn4XoROkOoUxNXQJFETqL+kAciYo3NIgPjn5qXrBjKv84TURPobgFoDPWAvgMP7LuHQj0MlyZqh2X6e3MO5whMIeCUpgV5qwTr+ykPSTUhOtYgsT0grr14PJexMO01gMb4FUPU2NEOoVvZ1C0OmLDzF+xLqNSlexM9G+fCfL2BLYVZ7AzkTQCJLIe6vfMM+01wBKQQYKa0gn/LGyYD6lRERC9eAISPdFCqosMijMU/e4nj5bU+Ur1DLszFla5Dk52ecPVe7ejZvKDDtWIZYfFASv5wDhVBsVhYwWH7K7P6AizafnwidkbNJPfLPepEptOliPhMbxhMJATCPxJkQhIVVOhJvo+HQkNolxEoVq3GjbUEUk0GazaASQEhzZCUczOwc6MZq7zec0HRwPAT2Y6w+jCgWQcoE0x70ZEGnOqGzlsmJ3w9/bDmXyb4xfL9kQN2dxGSDDqVK242d4PPd3MhtASRy4Oa0E/brLjTV+8/fhDoNtCw7A5ki/Ir6fkZKMVwPX4dReNqBa1v/m43WMQ32TsBUvDEEUK3hqQM4mVAqXHaBt2gPeaz3BxdfRfcSOsuG/BI0uX1RXWxfAkuTxRkwE2D5xZWKAs1V/0DvDm/gyYHYiNmuxNgHjYhRNpkAb8CMCeSMYFBtRRJqc/PGEyOy5CunDtG/qBN2zrMXNBMBod35wcLB11Bu2ucS8aH3biQTvAdHsXeqe2oHaSjWuG12ZfUuwKsQvfKzSITAHv/o8D9JNK4q7n4rPtCS7iO5MTJC2Pyfk+Uu+qM6yGWKa5WppIzIJ614ku7TuRIbmRUTUGYfs8JS7MjaHvvKVVNVaEpohMV2rnLdj7f3aHvuoHRtEmazlxJLREfQl+nkAKtqAjY+xElFVFxN904vvj8o4iQxMZ9oJBdAS8SYz5Sp9ABITiZbYJvmBl9RaOcp4Hq6Lbr0es64p1M6HXXyPcFjBA4xBLhBZNwlN5kJDne570usw3HHeM7loOGjXvzdzG7jxRCCHEwJk6a7QUKZ6h98rHdVpv6/H1E9Zjr5x5FEokQoNQLIBTWmFjKiBR7IqKwJMGhNcdJ9513HESy0F2+OCmKQF5RV3wgZzVwSQ1ROVdG7tid3+E2K1UV1VFeuXTdrICgusDxBWQ0ipAPxoY7m/h29I3ccOfdVt9Ry6B1YWn2mUxBpnGShfMrMPEqRxb7AahrDuQid4A74TZUJo8H7kJlyqi9tGOgJY6vQUkKBvfyMp9egd2KvnTju3iFe7wO467QVLT5SMgeC0I5I5UcyGHCOXD7FSTwQhADxdCrpneXrPSMXO9PJ64YITkvk0JRrcFi4PQFthxPuxODeGr3r9O7v32HiyHvYnU6sxeQQGHpLkoimQHfdiKJbDKUwUj9vGqISp1Od12T8sP7o3p9mU9sGy1ZB4WtgqU8qqcxyYsiLcZZHNnkJRc3nPcPmc5FdVg3UKlJI0yFEZwtSCkNFSjSpL4TvxHrPv0eL8xgzI7vdWB+8kisUlSgC5yrWQTbA/+dO0f9d/x80qJR9MrbyL/m4PPeiPtJhKAD0n29F275pC59PkahEGgmGkXCXyqSZG4t/LKZYpdAzYuHWXhGm2iUXiqwqAK901z1PB2xGarQQE7Sn3emOddB5zB8UmSbvBhdmid91wdmwGs5MbAQ5OkTqnZDfT2PPcz2ND8eBAbl8XsTu05T83TdoxBNKZL2GvY48Q9nTwp+PouVidTHfXUKamfhSCT6sQkrICCCOFI/SgLeCAm1MFn3tqbQ2cH4qvMjmK+9LvhqhGJ0wveeXgSbj8mRaKGn+85BPmOI/d0wm0ZHzATw/As2pm4gt1e1+E4A8Rf8CpfamV0uX9G592HbnedzJH4UqPYny3U2aG4mZ1gSlUmSjL9LZ4KXwpmrO+Dus694QwmrXgPwUlh1JEW2Qg/+ivhneybaORlRWoJSZBtB1wdTvN84c4MFz+malrKjyJNdMTvJSqUkvZEsjRbrMaK3eR+7zqKMyiJXIt+cop2miDOlEodUcN0j7WbzA5HmhnVOFvOP/MpXHymmHywr+pMamTOp1XpoflSsBBNTwYj2rC+P/QuYfjtR+67BdaJAhCGMFX4M6AN0OWryWD1WHgpmdr1ceJ6kO5g07FjA3dgh4cg2TEaYtWqSLsj40vtNJLJN6h7I9bEVA5u9y7qbd2bChbvY6kOAxwWJ3CbIZlDJ32tJFZ8qhV1kbZfVrnqxzMlYjySHHLefgXnYkGbKtKX4IrWTnnCvcJU2QF4qp70znCUay1FOgKTlVk7R82RVXQknzMvT6clZuda8ozC2NfuHp+csfPSqIk61ccYV36FbdORQo08F/vDNwJ12HN1xN4JdbnW0v7E4At6gHFpD+W3nGsB3IJKHDlFn+FGmNsTgZI67+nARxvYtwRwvJKZ9XdnEhn0IRJevyti8rpSEhCPWO8PR8xuzRmwW2hsg6nE+opHsoRiDObl6KiKkLG42Nx+/SBja97VcT2j3MQjbtPwjNYRmIJ3yF/xTaqaeMTTtvKUSwDfceSz3qxopTCoI1kKcqSmeUviQB0lEzxgTlvRvVRR/a9/cjJwETs6crOT3Jb4sG5WVG+kofAuA4Ocp8no+AGmCrnH5pa3XtMyjlyzrKLiQ4lFyOLYNmxcHcnkrgqKscViNL3loIZsm+P28Cp0dJonsRuviI7Ye5oE7VpSoiAD3uF9jfojZ9hvFtPfflz9aNGH9sSjla8pOfA3Pkp+tFpcpcTFQm5lVY+eFcFk+t/ea+Ii1nVJjh3itKLk5UJq4TV/eSorJyjJKGxfFIt8xadyfu2QBamnrS43GBORMC3UA7ZLLIG6Vuid5nIU5cGn14Hep8MvQNfgdZ3vTSnkV5UBJbH4qjQjUE6R7298Nk8g8DWfYfm1w45Yq+qjXIhw7dAfhq5aIEirtE7jj1eLU+VHLV0JKWxPK8C6EY/IL6pcF5sLfhPddDlOIre6XplIZ7Q/39MM8xgz+ayad6QIxYgo4GASG4xY0puAjLKrzSgzUGFBMIqFRNi+tU6kQTrpdXEbUr0IHjTKDOgHkxMWtLqGlrhLfsKRcxXvO24z+Y3mq9aP41IqmczbSJYJ8kZ6I1JAwlXIkqlI1T3l108UXEwnjGszdZSJhJSENqa1sng6SND46GmXWWKhG1cl4XtPPZXj2oeFKZC6gt8WU4i1xA0t3uTIhulupHsEkWF26EjCiiN0ic9eLdAsobdUiVvcyPdqmAQmrUjWTcxhue0W6G3L8sVCX32kD+v7CHmO4ocO0areYyGLRROSIxBPVwYRlEZw4OFtltUXOiJDsrLa/WrMevMMr4Oomh4V1JEdC+7sW3PUCZR835E+rPwbUmpw3amL5qXyxCJCx1QqKrtjb8WoIZB3P5oYWe2/dRZSCGvsEf4yk5NeA6wnsFUemSzga3Z9MSt3OQHvXy71lYd9WCuQuhDzoujGqipMAdV0aaQUt7kggmmLOJ6l7+5nvsVk0IfVGTuuToQAbR8q5dOMCuzQtQEp8L3HhIFAxjlnykj9te8MR1gdDFUsIHEQDZCSwqPZkpPEIAM7a4YUk7MALuLJPD/wv0s7tc90u3cWmaVmz7A7fqSJNZNgTnQ9g1UG44Q6emc4wurosaSwymkp4VThG84DzMnBTWlicyF3VlcTjZ750XwAx08X749ifeGk1VWExY+YcmuSITakWZ0tAtufbAQ6+nKZbzi4PwPIbS1fi7MYpIrg24bDqtSthXWiXKS5AgNTaJbCzxC4X+TeXkh3Ot4KdvoKUmHC8N2o+VJgR4zdj8L3e93IeW/0bfoaUMXOhDm6juCFcCdnSKau0d2wLiea0k/yZuyPE7f4brkb2KEKdrSpEmCntMvjS25MJ8XGKm+O5uW9+/dCXeM+J9I5XAn6gwiQ8ZAi91p5UgrCTnAly5B69oC7R83KO6KR8tGdoE13wZEsBdHxA6DRukmfwTVGp4Oxi7kw0XnvFwt99VF1b1NX6c+kvclCUBBjdavl/GjLTYUtWGQri/OiCWL8hektslbisuU/blBsOhEnUksg9xrw5nRWYJKWN28GgiG8l3mjI+LrAoMTxw1Lo2mFdCjHcr4ljiqeFMq1+AFmZHei7/bJD4TU31BL5lThb4G6GN0ks7uarDXADJ0Yld2190IdGV9ibArFCUtbLp2AH1k7gcUB7PoshZrChetXVLTKZOZPpn6Oz2pv3QKLfKslfQhOgsaFAONRcnqyzAx702x655G6NzWGKCiloNxbhyQvjQkTvFRTq6AKOLUr1jV0RNi9rB/PfQOOqY4uaiJ/yPWJSdZneCI3e8SXuqCKW96Gp17enUxU3Ts6Gvk5pSDeWIyoHMk9JZeA2W0riG4fKSJxpvvKYTthED4gdSSutP2a7DvwjSqMRgBDoZ39wc3uUf+5RcgX63z9UTXVysujKygz2qks1vSNPU0iYXXLxRTWFTI86U/LPTjPnLcu1O3tAAIkiy1gqAx2FFVTNpfWxYtMkd4tUtVUKyDtsY416R8AZxaLByEZVhgN1dZGN9ga/86N+SZmv6ft9xjdjnLQdo46IlJo3UYDBEKsF1nOSDZhvU6m+hPxKAUG+IH+ZGHBqr69VPaTbxE1YiBmZKlAtoK6HD1tMGcCtNvnVCAFu6M4HWqn0YkDgv9VpviRAbaRHNoYe9/hZxk0cu4EJAgKQqWnPFEEQUd7Ms49FgdymwiykhvU9Xh62MtmPn/sknhPeToNF7pJlk7YuUhlQkwSW5s0bI6kynjUXv1RdV85tDo1UuTO/4+eMuFcHdHu8YuCtKymlOQjXVl29hAqAPMlK+5+JHajdz0pZFU+hTWu9gyTwWouJpVXzb/9yDXLNYkBQZAzEHXBOpJAdGSux962gIMyjbbLEIrB/LZ+bud1d6IC7gzBtDtTtktZPmAXWPNsFY44iUOQ+2tl5md0xO4xWGUCa0jyvsJiHXickmomCBGMzjZPFOgpqhh0dpAGCPGDgtggLzBcHN8q8NaRdDZtvcKRaEPvSFrHDrzfjUTvQAFpN//EBvO3CV8uiIU0oBGquFU8eaYfq0Lcp5N//sJdvu+TESPI5xjdzeTAFcwhOsItIYQaHu4Ws/spHV0USrwW9ZzLtzkRuLPUYA/JEmTt6rNwVLrCO9h/PhdbAgLxndsHxHE4IWAXwVBTkhJHXuWpcO8JKtFP+G7wRkdeR8UUJPHVHH1OsxxTF+1MJMDvxckTHAj8vQrlcUaN3X38TAO7G6aj27kTO5KDMRdE6cmUHhQH6ZoEq2hs3Tvaqsb7jnF/Bod/7bdsdpnJKPQFyBzlLdr1KsnSamJtC3azwQYXctj50BkMcxnlSZMsqF0bSIRX0CfBiNVTxrCBhAKdooGqfrnMNxxi3cIGwQzQyGS/3EFV/Jy1h7haD0jvyNGkEYoMmM2L+friPi2/boytMhiMJ+0Odto4oqTJDahrDNgWcr/Jn2by3YGGdycTYp0Art2XWAKFNchcd8mODh9SN6Z7aqewQcEsNPxuvyNB4tfU0eVkAUVXiQ+x+mYRYwRYzqSKAEvZyPvdKFVi/AjAYw+dAxAoQIXidHpS5hpG+//6HAfFoL75nw+d4X3IZoh1O68GATGiI4K5BeatdOTLCEUyO+vL5E7vPbzCNz3/UpB+S/un/jaTNZm42BhBtMTFAXIh32uCLrdeXs4HAhKr7ko66+XhdWiCfpumdrU7sTv9Fm+vtH93sa6JdaYQw5ckcVS8HOupwIpLLSEuVSdeSXGG0cWPuqHgR+3MRyf6yTrkE91+D8CcQRzTMj0yumlehTQ1TCxVtdfy/sPP8C09eaVbzRGLBOQwjnJi9IE6U4A0yp+DQ39wM3bUcuBWvtwSkpSc7MRPITTqJT0icid0ldF5YlXEi1B/SNP7jttn+JILmR/hA/gRs7a2KQGmazxSSfqTOhrQ0O3u7zNU9eTlOl1HMImVVMcqkUYX6s2WGYvK6NiYXFUOs6P5/xN1k2JBEEnS8qrb5aYnBFm1VO2WK9Z1y8Pk3N76YtIHPk0dFHo06twu1/IBCva8SfkGNOChnm+WwxMVcn8GL0CS1/0U1i1DEJ62yylrQOsqccU67JQX1pXRuZoRYjnOVIH42pXyGQeikk/4LdJw5d5QfM8X6o0588oNTWGOuNJthW898hlV6fsLApIFpIH84GNY90Vos2QHkAe4ZXg+dHZK9iSgZz657gPDpgQiTOqf0rpkfM16E8rU5jjFzGmBBPIy2HcX8L0ty1ZMtbBOuuB4ENIIExiff5CFXbVUnIhk4S4i0QAK71xoTszTmQoxuEXh4HdqCBIq0jH5H9pQlaB0bnKVmJcXvL+M34qpVmkrY4OpP6IjLw6jmCqns3ojCcLwpXDx6iHUAXvi1i1dnO1h497wwLTjjD4SjvAkzij8Z49mIIUfK1nfh59wo/hRnqEL8gPQnOYBRAiIawxvjcSIMIpQKiVCeTyR2fshIUcuDvOequQR3pXpiwQJnyFAlyMRVSvdY1tNLt5/6Ed5xszIyP0Ku4MIqR7HKaIiIDzYfVOQnj1xw/xtpZVcOmoUSCc/ZJPMvHTULJuANziSdgf4UwzaCI1s2otVvuWIH0HurqEWI2S8G7VI+IIHpSLHgqCUkWfoaaKpbHliPf7KXWkmbloCfFJUbcJ46eiC9o1G5Uc77FpJAQbO+RPAED/KLPGoquYWvHDg0ZUwJKEf0A7TxwUq5UMg6wxEomQZlHgPJFykDDuub0GK4t3mYBAHE4qBC5yDz8/YbKxdfs6PsAjZsMWTGSUpBc4jHm0OW9jfg6TK6qKxYXKBJm6aSBmP60cpYdthI4l1bOuqIryIkzYKKIEGgDLmiAXwyi8X+abjzt41DExXJjkzHFF1WDJrMhGaqAd5owkvukQz7RpdS03cXgJo4BZ2Z1u2k9b1gbjkRYAD6qzJRhgV3v+3sBuTWfnPJLD94D6QWhxutNNinK6rUVXz2dktpZRKYoEbBeeajpRjgnxfEJdB1eYFO9T4OjL8g33CpIeOqEfYgzPKGowSYfmZ1xn8nNVxIR9kLhiEKFetSBlwJ74AstAaWN38rCZ0ffyd6H9pH/edM3iVL3rp2rnAgjC2uJFbSEpHZznQgqJ0LmQjfr2/thX0NiE3Q5MNXeTg2t2aTEnOMNcYviU7x62uZlcicQ1fmz99pMpwpDyxWYkN2BUyyN8w9CtUZpigbh1dc51fLPGNx/WuIDbFQ71BvPC72aoQc4JamqX81By+MLs1WSzOM6/2YWnFbpWMdPFgrVfmvabHZxbrE9SsNqx9wp+iDKkzmFBEF6qHqkLN5FtRjY4geXDKRjqDXENLiEMLiduicaPbjbGTD+BC7tNp/JXjYHaWngUdQixox/nCJmCrFLu+XOPbjsxAQr/kCuF25OHyuz1bSiUIXbHhKTVEQ4TZpsnZEeNDy8FdPgOpL+6zDGqPvZ0Qxxm7KTl5lDQCrNCdHPbCp4ks08eXq3zLUTOQaRyNYWInn1JJBQJnLoS08ZIglASW2vFVS+pp5lNbGGEn5TtwHokqLo/fjAiLUROSqF6gIsRBUh5wup9pwrayOt4O1m3Z26+W84lAO8zDigC0SKgTwekXXSGBx2XMendZDnMPShSq9hiwd/1RQYEGQ1PLgLR7IxbkMfNhqj/RDmtI1Hck2UQVuXQn3NoYe2Er+UxnoK7IHbqxxBXovQrGGDExdTp/6PybKh9XOjZHVN13AxILF+t0Ib0I0mC5bmdwYhfef9zxTsnIy4WENqAAwtC8Xt5UIuUT8yM9CBkKHkxw+r+O80qYak/krGA0quh+RMH4yuuAbrEujrRqdjisSgQz33ULmuvBFE28yCfeZKHNipAoLsqZUJAZ7UYvVsW06AeCCs38VUrzuefU0/ar/bAZtDsmvhYyEGDLkxICVg0QUewnX37OjZyigfFI7vAhIoc1u1xduYFvScopdrCn1Yu1LaJQdazTkbtGnw+A2+UXCCHIQDEI0kAGhs0Jd1TRZ5mqdixfUFpmVX6KMoB1G9xgTJ2wfPMLHQgyhFeB2qkT4kpBuzj2ePQt3p4aSQMfdHnYPWmrgHcXg8+GTCEjaCeR4us4GSFKi2z0+H4qHIF1GoKZWOQB97gtJyobOrK6xX9I/qKm4gvYTZOSTWYR2+kPzm4dvFkJHdX5pK8/S8uTLsjr0LYKh6tSkumL+Ck36hLNmJuJpRycnELeKMGDBpmY3xjQDebajQT5oEvef+nkRwDUK/nxkXt1Q4Bidl2aG6/jD14E3SOn4EM0fgrqyI+C32ulsOCCuJf0FY9CMtCA95TSsXz+fh5eEfJIVOLjvq3ZkU44GfT4hyk3dWLV5l+zzxGOHC5AUIe9t58pETexzlTc/JWcNZn5XqqFe61QCZyqKAOlb5MlxGkVi0iMuH2LP+45630xm81r16bTlrxcT5EjoaTNcKS2w8j5KbWtn9VRUvF40WQqTmohdDMsaxLB505Jakhjq3zywuRS+BYH+pf9B3yfriXkgBvUcFQyMdlWF+rUkd3ySCtXfYaf7zhyjdgaL5LWAQfso7RuzVQAkoDFVIfY1BtjuOkJHTUSnTP/Oh9ycRlgTHP5uRtRZlhNJnwtpb/qLFM/eutnJL48/FxLXcc82cS76t/QGNVF01t7gjFUdG3G22d6gjcAUru1I0GHhjOv8bYy9MSK4CXEShnqsok1xfI91bqVPHr/k+mR894G12tEUkVWvk0own4QDo9iX5OPZ29jIMkQmF7PuAXFk/YB0NLq2ukYgid8s11ahXWGOhc/QoeM2GGSP3Ew7+1EnJei+ERFVr7VUYpA8m/Gva8ZRaSJvcGCtL8Dtyo599/t2/yZOEDpkeEN7K0SJLxTR7rWGTY17D3lYS8/05hoMlX1MtFxldrpQavqIjNPmsRXIC7BiBgbafiSE8X3uSMY8DDxeU6sj1t2Ym+DegsADUdqgoNmBy7U7XXAx+vi3nXcpQKQ5o7zTuVBqGn23lsyoE2SaoGwxCpzGWhHsic0cHtlx0xRN/DfH8crrZPVcXrrDAV1kPeITPv/ywW++Rj36tTOBPLyoCJ4tsjRHDhgzqfRlSyt7M4ysU622jv6h9UTe+XWU0+msnIgw3fgDp3nVGYRlvI7lvyc0VH3TiZBhOe90nkhMcKVJDN4mrw7rb7ChmqK3ByJSwxMr4/tA5pgjyrugMdXmwPTQb4EJCycU3oVXyOJ/TnwTv+I965wlFyWXA2ZMDdQ2Bxpz0bKVFVTjToNdIAIPT1YoeoK6mb2ezzIOsPOi2WvJdXwOrplpSPHI/ih95tYyjHfe8AZbE0QglIDD1nITfJNJxwE2KmxW/+oXMgv/IX5cxe7bf6Vm7xtv+5QqnnRhRvSpIGEjkgd2a8ksfpR2Rz33Zrf/OFuLw5miZFHB5IPcfUd3pNMlkoxnBUPzzV8rCFZ0hCnLyd/BQf76+bDtLsXP3HRJhKidwEc1EGWjVNlb67JREfanwywoyPGxIkjcMONdCoIAn+pN9Oj0CFISzh4i9HtY3UfQikONPouT6TD0qvtLN97liCleTRYAwKXjjpR3YuY7z+qI7ZVbw83Mg6VUyGPaSwX0rCX/y9tb6weN9J0aSb0PIVy9hrWabahktGUM3svs9be7qwhtsGS0fycuYbfKZSByfc9kahqjTXNbJCiKJIqIhERJ06ciASKDpmQtvI8/7bPwkiQL3XhJslsbpEGfaXd1wIOMrtIW6CnMUql57doxd7+v1/P8f/sEBkMI8PVfMRCEO3SneAPzhdlKI7yZJ/HS/kcA0WKW4eGK8Znr1f/iTd56gPssLBJOy5sILLUbB/55JFdBvzeEDsGNSB52WUZn9sUu2ErGdRI7fMMDi2cgdzqAvriXnw1yEP/xtduoTieluDcedVcGZeTOGLfxCcpQ3YZuKpIdaV/E0B+LgzgiyzEDhKORwaRM3MEuuUMF07u+tqNdLlKFa1hTwuKXXUnJCjNjMRbbO6EhynpdP8k1D26LcpB2ARkLYaqzCAFVy1p1UHKO9qAsLCWlN9x8EpL7LJtPFmKsboVCaivZf0d6jBwYaEwxs3jdSEijAw68P2plmU/8oyqnbIOD5FdqqxaG2XYDhsF5nA63oPdQYYjlhbundhXfl376l/b1U1ibr5Zto/BvEOCrI5MAbz6Vqyuf7MD0KdtZO3KElS5qCFUVuFdCuC4h3ftXJlJ0+nsU2ioykitqPd25eS2C7xhX34nlYWPrhfZQmzEcBjmedR8qt6YqL99ZujWw1niGs4wgpCsMZr8G9rAZJO82+n18jg7jVlLDpSc/p1XrkI3wZ+7NyDF5KDDD+MnWKfjQb7L6bR+o6HDmORnNWJWdFcRpLBkWY1bK6NEGT7YSDgwjqJtRVg1J7Vn6k0wfTT6Wuxm+dYLWQGN/sSy1MZlVoPftajetSDLYVwSta8e9PDPj3RblEyiBq3WSrZW5ET87kiRlV15j51GfsVAObgBgAMa27WXfC4mtzT4EOuK2BX51kyrCAMNWW3xnZBZPnU4S7ypSqceSuiyF8rSYrOygIWxJme9XYu1almJ16F68AYAO0Oqa7ucr1KGxkbDfXkR6wbUEaXEUS4MyCBwA5TL/v/+cob/p8eXjDETPlawpNc1JJzwj/OR35GeWBcjikdn7BFK1KwrEgHds1cu0YXLBByfGbFrcAYXFSDlyqSc4GUSRv3PDoH/3PHFVI6oymKQVLEKnwESkG/2VzWVE8mpRY9WegYGjzqdThi4gdh7d0FoKr73UZwOCCdc05rg5ViVTiyvoyz/dBwtNRVkaQQJX0PAiaDmDc5wuNq0zJokOtQ2T9DQXE4/qe8m2st5u7SfY0CDimIn1AwiT538k/GiLEb4VrP7bE0OCxLa1OhIP9IuBfC0kFBRpGBOSON4YrhC1wENQDmVKcq3I4x840ZY4nmM6XxTbjDDsjhApqi3i7JpyUje7fxZ8G6ZJYb0mkdZkyQu28MIIXoT2ohEY9lXLofvxUI5ix3lm3Ve+49e26tsw7lOzlYCXEl2sYoFNR5MnhEaguwf38VgHPU8PsGBD/whgmB0JiMaS4A5IG4P9uALXt1iDbz1tb5dODFJ7Pr2DV6gnNDeuUqxD1kcyugMkWGEn0ZjYFGf9zoTu+qJCMHysM2SXXz8aQh3AHe1Y/2gHDm8Ts9zhVexrPOfHkhXU5HPz/pGAg2x0xehDAV1SQQLipAj+Z9NR837exsuOhzKHCnJ+CGiMMzJbbcFT7YoCCb/frxZELi5HPLBLMDFWSdHg5SJcb1AGrmLEqtCKRJ6NsR+sh3WHl4HnaM1EOweiUkdUsggxwe5OWcc34W0Zx4USn7jRvln5jXyyGmM87JK14p9y6fgqaGqES2cU+1+8FnwLgVS6q3CBViDcYt8G6SwcBPtMFIuKe4maeCdRcVCyMQ91L72VHBdL5ZTPjaCPUlmpKoojCqg3f+fgRwZRS/4Pqk/mo8UgSVANeFEHO252RZ2SXnudB2iJE6DdWqchmO4Hae28jjLcy/73lZIEODd4fsKX6g0y7vQWYRhIyv4Zaf4P3t8UdlSDFqtXWIuKwk4mnGT8lVsGp1YMZeDxVRjWaGBXveFR8NezAH5oZ6PWtYDqaM8soN0ECnGyt0ftn7a6cJURQUSqhwVGwFyLAulAfMYOxnTyLr8a9DUxEj3Ox5w0k8UxPvKZmxoA5Zo7zx+Kz5HvuOnyAIxEpcqZfl6+zTUgQxKbBJvtZ9BuPkMvYnMCwK6cbRmhLiuz6lotTrqyOCe2Au5mV4lcbLnzm1fyUwBBtlBC3GoQALByUbb+bPMO/nId+MJi0jtYEXJr9nfS/xEYxhJyXX5EseiDKMeer3uo4j9iZW92URfyH/8aBzxYQXfKh2Z1aohxko/edTzJtS85XaOPaktJL9iIwEC1sNasA6JKXW5HwQ61XjuHE1WWv5YeKhlNhrgW44GVRzJVBXOko4olLAR8sSMOMK57ezpcdjFKhZ9IzaKFATg2fUjxSeOHm6nJ+Wy43sNvFu8JbEDNPbtDhOhApVqEq+jHWXJ56/87JFeeeyU7WFlFyq9fK5cZ1Y6GUvVEQ5MxfEeXvdCtXMF7/b2Yq2odJIOkibiL9df6+E/kqOUID9fTNgrF+gUvbNpQrE4MoM8QRvZIE7w+NE+X62qmpY44ofixw286/FEgsO3nCEsqGM9MtVK1xgcgLQ8wpifPLjHIPRHrGMdhJQYkTccD/rgDDugwGoIJ5WuQvBqWvK9i0te2DmxvtCvM4y49U47oE7f4hoFvON06SB9craO40tNVUVaNSup2QFt2d8SsKNh6RSD4KDTZTXJSF54o4ulfkCTbttHbcN2ir0oAz95I3aTYLMmrBMQZHf6J4/s47N1NN7BOIee8ELFnP5PPsH7iIwDFmo1HMQFePXGz74sPGBnvdg7QWqIGBSn00IgXcA7XtzYP8os2gSsC2g7TVyLo46gA9tISbiZkmqaEjjWyLIm2oENORiD3GHdtxeDJSoxP/FRJDWrEtKsSyod4bNgw/OL/cPD5/EdSCfqkeZ1PqGObIu3WUGUbhMQwP8edoJqKtgtjAwuHzwahGRkn6XXE3pcjLTxo5qJ/0zXvf9SCAN049OHz+OT2+FlNmFrNsNCwvAV65S/IxK7NB3vKYpIR/1fL6t6Pooqj5HOVpC+KCdr9DmZvmR+ZKQ79qIecRrss0eex/dkI4Y8CZ2F9EO7PHEEq/ResYN5C7yBhgI7ELz9vCFQ9cVf2zuiqmy0B9PPcIZalRbWvlyTWAmu8mkZv1lN3PgV0h+NZXGeMRSY9x4ZiPyxZp7BUtZOf6yUULLAubc/eoC/rX3xF+prO+9QO+69bEGRVcm9Q+ykiQuBdF/H85o/dfg8PtuWFt9YytICwg1vHTbahIf22A+L64Us5C+LAa5zu732Hzhd12uJqnAG9y2LDHUFA3fgty/m9aDc/PvZ/ZMjuwyABwl4LHWqGlMbBesEOq4l52FSUvrgKI8TrP4kfb1RhGwv3Ik9rE4bFXxzBdPh43+2ghbGiWFgEw52GciBdLShrKYAxGKRvGEM1H3kI68p+ZQPWVP8qUk2KYN4Jsi68kB5W9/5oVrQQDsrJF5gg3szL8+6Pq0EGUcqW0W1ML0T+fIikhD8jnqW9gi/nuFiAeHhdgJD9A9GiG/rz76Ut/bniZ0d3lB9R2ioBeF56nVIJ77Knfe6mcEvp/cPjqcZSBMrCxDFyUehQXzKnyRWpIOhFLuwgXfyVR5Pdd6+dtTCzXwgsfBNky/FhDEk0gEwMRIJSiS8fVoJaj7X0mZyI1bNSnXjFgdRCJjINpYRVfIh6Js7PJnYSaGAGxlgw56kr9zTAPQUG95ANfQggQ69Drot1vVDthDh+/MHz6hCaKRMEgnsxeJ+kjon7CyPnIY2Hcbj9sM2ebs7Wd/Ikz7Ft61vF9V7seEP/i8pR7jjP7NuoY5LgMu62s9Tb7zOwSD1U7BbVTVot9hEqvJIy6gz6PaPBOvL6P8KqYT9K9b9BjQ6zdAX9iecgcXE8fBh/3h1MPcurZtQ8MHr0kmu7hHbDMRxiiOS4CiPViCOIEoZu6qFHuvic2octv/7vW6YD7B/4LdPnSj4Btsaf0IbvCoudoaJ4HVYSQgH3vhEHAfk7NEaQyHfixWS0dxo+WU9IyOlmCD0f3ZDv599zBvcwA7SWFBLhw/ifSBDDEQk/f3k/tFhHxazWMmWWmfnQI3jUb46Yd/GuEmwehDLRz56tbcJTfydp/2A+6nLP8w3WEjxlkxgptJGWGfD0BOgrvqwTeBGCCJovA9p2paWrwZSiB2yFngH2hUkNHk3f1alfKLiZV3+4hk0od7QoBeeIlY1bLmXAqQvV1a6TeBAsiAWw+8hw+ODIyGNalaww9tOzlgJ2cP9h99xAGAUON2MHz1PXz4aauZihl2uPEWMRfG7kJ+IIV/DHkfJRFPiKMCw1G2J8UEIo+YqGwl2ogSZ1Qy1EQjFYQrttBJ3kmfxF1kbD5d3Pp/9sN8NpFy7aI4mpAST83ndSBOg7pgYhJEi/OwQOKqaPPOWpSYh4fm0/zkDMIEuXmGC5hG/9/bOxA0zNNxH1Yfx8lNkJ52OSCJvLULdOrCOHIXQ8Pdz+2dH7oadVIHimHRrG4l0onXAA1LRUiNJQLgOU5FUMr5TMFADh6N7EfsOZ9C7+qJeD7jjJ8rrgnWnmHxSIKX7n0fO4Gi7vTG7flHufDMrhQKdCafKsBVJY1n+48Kqr+3es9E3OAOZiXGnH6P9zy+xmIALaSMtBIv6fKO8sSJsQ6hQtoSUNuQTeFHZqLKSfWaQN7q3uo0+Nw6TLLfJ7/iwX4A7UFGZgTiiY43DJZoMyZGTrGE3fOXzR/qwLosFLOiN6Y5xSwa8porYuxS05ps4D5c2TARfiNchfPdVMof+X697nucIA8Lm5qMaaLAwb1wTPtjYcB7q00dm8nU53YJLqBTUrQSLwEoUSPAWmyzk1ypfD2w4MlL/0v/Vr8uVCu7bvl71LWuK9xZYYE2SRq4ILyOtajxBLAn608eXjHOSilhbsbi0MBe5z8C6BXHI2RmcbqSkAjsPtry1t/7dV3D/nftobGqqHcBxgyzIDBuHK2wgAFNNPJ/ZPz18opM0W82E7KM9eGCivlFY59/Rg8y2uD4r0ULFgtBgeRQ7q2K+joqIut7vvgoLOJ3WwfBlJP7cUk3MiSPmMhTs5Asi9wZx8E/xheINWEda1sxJh98R1Y58c5eWjXHgbiNuOrqTtEX0/S3rWXx1hW6+Li7sNZC2fupeTuPgOWIqwtmyZwmBglItsfAFW+V1CyQ/FM4ZRI83WpcXRaJGhmYsv7kyj1UIAACAAElEQVQThCn21xBVc0JZadhIy3hd/35u/+zA62x2wVREOo0E6clNnbCQJBz6LfcBmgqi9DkPqfXGQ9Ea00qO9sOpWBwHW5criKgliCA0riQ1nI7vTMI6ZomlptCttMt3lLaV9KRt3BWACUutA8FEPBZUq/I6g8Hfcuf1843HnbCoDBSzc2IYyWz0iCOdTs4xI8Gaj+Bx2T3BZ8aOivewkStZlPLFhhqAzDx7BVOggTPsYNmXwujJle+ZjlTuChjkdWhKcTmvFg47pdXSrI8457zLVI2du+5ObRtOhx+qloCDnqi2Gditz3mKVy7+deUCvDQybNLR0RGTAtHIAfxrUXCriRnWYVv8jI9tBFJaLWt6R43ZE5AueneNQA4D8ZbeBIu9kJXaC0F33e+LzQZ+zlGnAjuvCi8nuMhFQr3neB3WgTR4PycmyLOxXJYALTp49253bKV2UuI6DFSHmdO5LZ5521/mG7IdTAQjuVm84qi5M4NLhJU1UKj348U+cTBzwkznaofZkbQEE9cyNlI0IcmLcNXkKys9wI4ggsBeMNUr4yN/2VFuaS33H3gGOzjVIKqkaO386VFvD2ZOzsozacJiClKRUaSNYBNcQ4SgtOrryupNw0pceLIsHzn3dfnx7V3PSsPlh3Q42MBVwhd1XI19B2e8RdXnj8ycBOtAoMWGuTYityqsIrFGCLKBZEq0EztCyaI6/Jv70XjH29OlO5r7Ejfev8e545vUXXI63S6Yw10DJmVYrJJ3U5LlJTZKfYThFL0Xi1MaSDmHdthnMCC5UIPXccfbnmuZt3XJjceMDZ9D7OTy8Yq6HQyRa3SaIm7Zm6jeClsj5XNOexNasRFoJ/vZU5XrJxLVAN3xZmRjp8Uq8sJtYgEG8PuPYSPiND5KHOnAoQxJ0p8/vD+DBqo6CbCTxJSNMJeKAwqQs33SuiGoDmtZVvfP3Jv4w64Auy0BBsuJCN8F3xtg9xRH52wEkTl9+pAF1XvCRSuZgrQR5tpkqXxzLdkbC7mWAPgjkrTRd1WY14Yk5B2J9xK+MQVclV92xBHXQxNNkRlqTnWPMowUWTupSOzDRtY9fiUS8WGcB3jHY+48yrf/2HsPmF6Wv72W/AhpuEY4yRted8RR+h0kpOOsPnM4p+p9j+op2LZiwR4koV2JDiqxgXMKJyyvunwP8G7iNyfFvTN+R8N8hT8od2GM/VuEE94clniKo0hbc9Q6VnR3dIbF2NpbkohIrVhFWch2JRScBokf0B/h3nkRUbeQ+VuPyb94jeuGTJw75ffv8lS7slFJTSOOuBQsR1z8/JEaVuCO77ESijyTRoRv2B5xlLy6pjNR3FtcCHoT4DuvtW7fiMTvDKd2y6YnxlLLRq7cIt84QtiENUypYEVvGy1h2jQpVFijde0QTnIRqBDSQKyL4cZQ4UKgji8sDR2oXdlPfYKeUsNKwLe/gnO8Jec9uKrpdVIYqXtjJbOeM+z8Pqn4HsyDgqNrkWpTI+krhd7HoVIA2L3eeya697rvf9CoELx5Y2u57hmsS6VXfueHOd0jvM7ZnYZO3DLytNKUiNBV92RgWtUNitn8X2mpkC4etyLHC3ZXnmDHlVihqwFvmKMJCdawubKBGatbqyJK/3py/+g47vwfrMNEVjg2wrSRBI8oktu5lqSlQjoW4+gtmWg7MZF//+q9wl/ffdyUJ97dsUJI2pUurOtRavEJJ7+e2z876PEVJEhX1YyR9Mty59K3aFqiFBr9Ym7lowqflgJpvbPk/afzA288yyl3R7NA6i+qeVLyYfCkIy194zYpMw56fGUkW2K7tzJwUHplotMaXWVLzUiIEBYa1mlxOl5IAOPf136aFwY8ttfruQKpvz4bQxYbffE5p3aSjmhZssw5RrLHt1UvVvuEo8jr9A88DVwynuRETOcTTH+zUxCcbmWS1p01vBhBet3XKpCyHgU1YE74TmN5GlNVMVFYiPPZ54M8WMUICUQukRzynTLJJPuM3HJvVPz+kx8+QPR1+4hughz0s8g3b7AtgjZr2qI0eEPmCYf3GCQXgeFnpxNNTs82ErO98mn8tyeHI4r0N+KDtV1QD16c9nhraN81YXd7HSqDk04QrVrPSfpxX+9zjHTUsAEHPpJyYaveTK9sBDxENAHoDodrhXftwVXf7alxr/39O3fYKUze7UYTbPBGDQQMsqRF8+4+iWzCQQ0rrAkO/CNhBO0uuiDageCIJsjEcgbtVKiQg0qh/8Af7czA97JlyqfIN8/KXuR/mEkDIVQE7YgjWoxTDvZNyLsrfiwlTBrZcwnWFWmAtbAwxRMuLKdSnic2QKJtjTPw3RPazyvxmXzU/kgUaSW5NxcoVupLgSTOcToUSKroET8pytW0MkEMRmTuW9YC6spQoQ6Hy9mVEIfXO7Mzbyj37e1rj6l7KqSdu8Q2MZ5Aks8TRprIG27N43WQklvkR99TIWGi6EGCAmMX2gZ/jKuk+Kt8tBhHpqRui14acQ2Wb+/EZHVi4d5lJLFEzlEvZWBO2DLhoRZ0ZpAhhXmzsYxwVzcB4AOB7hDN2YktdRMhtxV8583xtKtd5R0+d73zGOxgAEdBIgvn//L1gpjG60JJJhzuPwLUQljR2IHxli18oFtGaRJHdCWgoCkn2nMY2ZtFoO9F0frigxeRgnCuHPTHKh8J3MRnbLTTpzlvfzyd1ieO7D9CdFSDdBnh3Fgs3DsKcUojm9yrWvUTgIMLylr9C9eFG8vzhJH2J96mazZGph/5iPYRJWs82KHKOUOqraoJhC3fl/T9tQYWsxtEBgG2DSGtxN8GEXYRqB6LYr6JXbFsQfojqolktcHptBEjb3jfuCR5kUzsTTiO+0D6HlWjxoK8NwM2qof5wlLlc5qiPbmcnE63W/jq+Y1HM9xeNm6Q74hWN+zbedjImmJzVnVzWc7Q8LTpKce4DyS+ZqIlqJXrFL/FcVEAoqJqIkb84nJZlvh7hfFRmi8fDNPkoZsrIxgPXueLcL0MR+nIIB2fP+J1LiSZSDTHMyjxrCXUVgEFVUN8ztXUQEMtCwvRqGNHIjvFgJiXXssyciKx+71EVeOIHnWyUd7sic3iDKXTmZG87SgQgaOB4yR2HI4aG3dDITaSt7BwX8KV4YgKxdcN3oBuefvPdinO0HjKmPmIdMRH6i9NxE4mrsX9k7f1Pg5q2NTlGSTeWBqkzh4mGQikk3onJUUkDtT9jQaR+Pu/u43o8bE76mv7iA4EntKpqBQbmj4UuxXjGElzDmvYaMR3fpdLi1JsJsI6ep5hZB+2gpmTacmwygyscud5W33FDNn12pynr4cx3EVvC77FnmVDbXqwIA0/5xjKiZHqqkYcueFy5CNQO9smUFqJJSMo1jGocUIFkNeSkaXaq4GkwMXPmF6lJsBD/C4vsE3qlLMiMpF1kQJ3lRXEEUZKH9YMkjBS/65UO1DBddm/13P60t/Qy1nQjU4s62eauEwkA4rIINphIWTvKZ0JVkRBHnLXQ3ZoJ8SRwyM8Xgza6miTeyY4h3tYXYHdCKVkYB4IwqiJkoS6KT+5+CBqwwiTRFrim6uZm8VOOrxrogMmkYIwB0tz0ikOD1BwClVJSMF1lnxwWfZg005tL/2vF0Y0KKy2qAwdINYXUUHHg8qBMfG6ON4kE43+0SHVaSM4gmzFIlZW8UhHJeBvWmtgHZGULNlJXf/XhztK+Df1kXG0fRxQl3riWA/ZqDLBhCP9o1G7ZiXaxTfLCCKnbGSfvNpikYmfMNdAOjGp6oMMbst1/ZotYs5tlY0AbT4IRsnY5NtpwJCZk1G78o6RxG2EbvIIPgcb6ssyhjlzLi2Og7FipricyjfXXBsZ+U0LnaSCcbm0rUs9SVrrPzoLGJw5Ae026UEyetipLAiT2IIt9q2zDdcvYHBxcTnLwWv/2QuI0l5/7qSDoBqbrZKO8O6WnkB5r+Pvv57aPzwKGXQ1EFyJWBuxNnMrqIeuAPvebPhpC0FsgFz+ht+4q4rAII5+O2OloLfMu8iqOcGFYiRS2SyeyopKXjC7jqfKW0H4Fui2ZKr+K/5VpOUJGko86Yt75ynqV2Lyr4UnFAcYGo/XcD2yIOUtVstL0IZtM7bCevDMRKJF9uPoVtSf3EGDVIvMnTgiBweedBVD4IAG3Y5T+9ZjnLJPOe5Sk6q8/cx6FrABUCRfjVdib/Ck48tjPqPK8MF8ShYShY0jdW9bl6wDtsy5cJSZOCuEb8n3wl6kjUuk4/Ul/VFuByzcMFNdlsa98GZ1YfuK3FDlO+ZJ1zw7jwwft4A0PqKEi3ZGNBq3qMARrorohpFe2/1DMLs6TRxcWLxsut1GfFrFGkpcIjFl0sF+WHuvyaRpu+CBBBH1AxgOcBtNFtIUe2BEBZEvgxfZLNvYhbi/4Ft7+7CIvWdE4y3tXlMEGldykeFEYTWrxQdnoDnBe0APuVaiANbZaga+1fGtjPj7tsZhBnyXx5F1T9uf/Zyv/MzSXt7rxltEUmlBrMnaSNNwgU6WEjO2wnqkKk+BJLOTDSkgNjeJ9ROjQMJGrEms4DxircdbjQUtiKrbZWMCAhQTzxpx9KHruSZqI9UyTBTygZXnHNnHF7qg2KAOwHZw8qkzJwIdiJc6CeOklOCt6XnpLHs3sAYFfT+Tj655bDlh1F/3/7Y+0u8ERlcTtIPpTsQ6KBaUTgOZgYb2mHBKMgLxVAoNIyq/QFw8jxSbbMQAZK96f4MzXNZ2JSybOfZ/tiypqV4YR1paxUKFaM4hUw2xQ+zw6mdAlV99t1ByWZudWAKJfmUG0zxX19W87g1I37/3n//Aka+mpZGOuL+OPqegEb7oa6gqzbivTg45w8ZVg91l/15uyUcrlWJwy02QQr0zc3JAwpGJCr5ZJ1I+d3WCJ1xJo5WOuOdEpVg9u+JIpzx0pQnHmBi0GFokkdzXzYeA4uyWsZxBZAYDqcZN+DMWJLU764svXJ6fnWCcelnxqkhOGHnPiYUYkrSH13FN+vqoemeRIHoTgh37c3hHa0gI9avLdofs4guvi4FcpemxMlLp3o2Yb/t/upG/7r2wun9sl7dHgYSN8E11aJYhYog5VCLzbOToDmvIO4TbdJt9/4h07heNkezEchaQzfR7WEyimjTZfer27bT9FOteOiNy9tSzvaSaEFGhRuYjTM1LYLJJR6oJrviRlFyYIYUzQoBMt5avmY5uXtyUNAUMgWRAb732gBTrPlgEJGqD0Dt0YhABk7YPtbg0cOcR2nOO6AwOadhBkswVV8AZN3wwhQWnAP1aj5mG+jjiyN7Wxu1oFuKI8OeJsV79u4NBVuX1J/moxdjLNi+Oyt1sUw05aHMsjcZRYwsSSKdclwS/1HTQsNB4O6Xi+9lP7+vJ21dcqzqyD9uGjbLWmMe/qps06fgSkTiBlDhSPlm8x4nMOwWTcl3qPU/GXBvQCyQkR7K94NR+cvvslVudHDMnpXtT9yvZ+R60gwKd5gxutXBvSm+XpSYUsAblCLBzbm7iJ+lM1EIsYrVNM3xMSGaWa8e5r3eewP5+/jFmTtyZdBA7WcNNI6XJsS2zqLfcu0KIckKuAGNQZ7VoJVXlk3CGSKCH0/kqBlI3kH9ddm7IZyN2/16tiULusLroGIYRFwe0KTPPOI6pTvthzgbxSWp0EA8bscWcAMI6Z/1PX3lGhrVOCzju7vTCRj6g/NGHZQhSAzltRBY/4qhfwhl3c8pBbyIman4IsGkWBFWqCc5Q8mBRrla3FWd9oANSfAr17B+1gbQhMhTY+egt1wQ34X8BL3Hipgo56fgiX0ghDgrhd8gA+tyxQvj3hjeKCooOmmNAeMHCTg6mNnKnGCG025toio8/B1X1F5mmjkCa1g8zjqTcNPRklwrfxBFfS91gPYSxXIUjAQmh4W8pj+zxWZjeGBnkIsC5cTxi6gcDdgkkXgmnLqyr/zbp+NKvUmRV1gPSHXHE9GwMBne1cwQHs6BIFA2vS3q1x9dU8r8yio9hH3dH279DkUQF7AuOPvKRHGnSkV0GvH7GO6NqxUawI/U6lAAQuqLIfn1NNQyvGylpdwDyJ81Y4sh0tJtjayefFF9zH2CHC6saTTnCguTDlOQ6nMNObLt0WYI4K4bkFCJYz7AGr68uyLQQEb6pIL8gHBlCLMYbO2Unn+DATz7iaMe8E230LAUZT9QVJ1a4Fm3IE6rkypnROIYXCxqGmeJ2136qvaSgEcsaQDpSFbeww+1Y1YrXpYZdSdx9eROxrviCZAun0/coZyWtpA7HjPU4IHxLw/I+8pEGKtGbi41KtS+/+TJWd7HivvyBmFBNPnVva9hE4q399jilTx65L3GxbtlDFBNL2V3pExEuQkMGXvwkDb9hJVIRy9odrutX5qcbfN77Egwmitg/V1ldsyRPxVhYR0jOtJFVZVj3GOGiR94oIyCo6vzKwu6gULkBEnS75zSy4HcnNJBb+4Mxj5OPeBt+97qJ3UrEd5ZuFLWn4ZU5x5c4W1j3GITMYownHLGV/D2kDiSS3PS2FWOoYCLLQBrOl7e04K+Bbu+vM3YtB1lDgFfcziry1/P654f3U32SVEE4cA+sI45Ev8G9ncWgxw9d5SRipAoiSwmntm9s5kO4Ry1ZsVDyUUyEb4oKWCgvMjHB0m0JnytJ1fSalI7pJD7Cd/gpikNoA1MMLSY6OBAC9kYcXaK6dBthjUYTCRtJ6whOfpZliAxZ1fNJferITL6cLnYS4uSpVjvYSA5ujy+oUNQ7xhpHgr6v9DW1O5zhW/tajQlKCnt8wW/rEYiIfgev85pMOZgltoU08I4+LEo+fM8eRbRVodtTHcVrq6GZiqQh2G3cQOPNNsXyLjsV7MBvfc5WC3jKl4Pe/Trdv/7trD5zjHve8o6lDFuEE8zFymRgY56ByELiTwy14XQyIL5EzX7Z2Pd/I5AQS1Do+ZGlvRcsQOwSQrG4V2SmjVQgjSFhWr0RZxfuZA6kJG2UWy2Lt27wGv7P6ez4KHv3uo3u3O0kLb2y0CGqkuzIsEvIt47rLMS0g/t7jxiyXZ5hhsJudi3nbtiuwJKvAHwE8wDvu04Hrl+wEf+1IwPP4Rs736IPUx4Zt0K4adpUN+2o+3tXB+nEbwWvnZGmdKNCqoyk2znRELqgv/gij4xkrevVP1MT4VvezoAF/QzUsagT39B6Yt3GzcdmHZWPijdorDXTDaxJTcjBLXAhmyYkRQRArMV64nNOcPXlvrmX73bWvSytmnFEVU46EvAgIAEGG+XzwHvkI9YlAW/ABIuCfsvrMrh1xu8NI3uxG3XDMFXTl/K+8yS+G0+N7v/xRwsAJI5qjIZpfwiINpJ8VJd60vEFYwTkFPC1jdSuOIN8weThvVRTSZBMWd3D4XhDLPB5BOeGZndurxdGb2u+bucZcEIDsdkGsVuzz2ReID36R6rFNXlyAnvDIcZd+tB5GA4qy4wnrPC5MsMJcBDv3k/ePbpfoTdGbxNFoALJiTXd+XgQO17sjlNPOtI/Cu8O5MkWbMX6W5OMJEDojq5MwAsssBhlBqczBK2LU1AMia7cVLV0b75BHAHfzS4OP5Ul9b9+//XE/vHxxR3/6fAF8uSmIh7ndCd+gOqMpSHDWSuloih71UFJLmrw9FHGwHgmDQ5Xw06kWFKSBQVWWgMNzk49ndPnDmdOlFJ9TijMO9xUtqAT2rjMOMNIsbpXMmyiWqwDELtx//915yaDDgleT5Jv5PSnOzSgCmGlcjuz7bTjCwm8WhOEk9mHbfOl19A1SYeCf2Y9B0cVEHyZAJ1/7qfLko18fZmXre7cwg/leZ0LmADiCAzYiFc6TujThxkWrpB3JVXFGnde2rhMHrrZOAKgwlE1TlkoBxWCkxZvtPLvhN/mFI1htPMkcqkqCUmbmNTS4psnBZlhb0fx2q2xlF6X22o0h7jg3CXWobFuNsrEh7/bCWLHXZ2sJtzp25S23Cq/rGxHErpTxDJtzVVBUp0n15lh0YAzcXKS5CHvWr0Kcvhh2rFVHuF6nGy0Yl5kLwSHk++ceDcTFV9jmSBZY9CufQ0wyIQaea6wpZGVpx3Z4RvKkOa/Ue8TE40pvFDlbn0uj7RNCzIcUdTg0AvSCQ8A6K/lZsTwOr57jo0CBChnsRHBNE8KwkZKM3010iBoAsOd5CMQAqjGUSj+nsqjnIkeNwJJXqcI+dauPBJ7P7/Qk0iC5SdY4KJt7Y57ZVaLCcw963CKxkkdivC7tMuCXM7gqnRCir8xDORHYvs5GQ1DbQw4tVenHj5Yrchgk48Jux2ks+ojG2glOoMzvQ5IwNlUUlGkMBfIAGewM8GmDjJqUSG6Xs50BhXyMnoVfK8v+7p5E/b+gtlfTiRtAkfyK8uinKBIMUVHpZ11eL8g+VuUVM1FOSFnIDeRCuHKTzvEit0NG63hQMCYpdvrtr6cEb7f2FheJlr2D6parYR91VqDCz3CpmKdwH1DMKxhDas7CbgENpWfc+trNf0rwQ5s8IWSO8HGDnQMbWFZ+RsmYik9qpZoQVHSzbA4Jw75fE6fO3zWm3yuXyvpt2kVT3dEOso+oyfQOjOu0xoBu4QRLhew44TP2+tte+Vmxjw/GkgDDU8ONECDbLXoi+FA/ZvP4fjpI896K+Bm1G4X60i65iOVbuLJJiMqCvzBRZWdaoNv6gm/0k/xmvvuM8NgEPGnBhoAhsYycD6hu02cF0yGjRmKfys+ElhEEcFLPtrlKsCCSIc3KXH71jixWg75t1fl7ATh85+XRROtkAduw26FhADJS0c6sX58+/W8/vmhplrSd5hdKtixn7yY+EhFOh0KCovQ8SqSuO6rD2Xq9G1b33j0eGP/UeIIEF8u2shaosojTORlmjbNgI1s7h1FEurJuBU7a7QmAujgPmfkBesZnGWA73jLre5XnkBDPoL69pKoRk54uw4bsf64XFWxRuKk44sBdI6EZqmUW6RZznaIA7Cw11110lCCtSYXGUnHkmj7cbYIVW8nPVnLaSIWVTbaBm3QTLyIDjvryCzxHumb5WxuoVAUajZig3A0JZr4kEaFFMjV8Cp7AZ63reUrr/TWe+h8G7c5YbFlI8phlhruvSpfzMQ6+ULpquT0EFbfTEMKJqYk1mJ6DR6X23mEAfk0VDb+YyMIlLiJTRvIcMTRrpHUKvHb7ghTHkFTxxcu2VK6KvRhi25neyK6ieoTrqegZWUEccmJPsURFx7awNdf7zioTmwiBRmOOGoaSW+MrSdOBRlHNy5jRO/FwjOB1OCqmso70agHEcTbqGGNgWD3+rTRQFnuTXxEznwgwyOOrL74j8GWNnVJmepEYICb8KuWqN6Z0Ui/RawzgNOTYCHxfcNICyFxJeh+9qh5JfbuDBRnGI2/9+gMxK0mGjUsF2le8984IpQQgZod5VK9HxHkR644oH6zEStjMJJy2Ie90Y5E+n5p61vqLfaVayXI9bdEkfAdJlQ26l/7+XRKnzyII0KJghW3b9HteBLTqTQ7A4h4oKCALqQw56z0tFb0QSuhZn70MoLFIKo2hx1NsD9eiSKuHLkACxFyrol7Js06xlxQtHwjSM5AOlKz22CpYd42l0cDSfd3SXkhrjqSXb8CPDUah1uX16uoFrDjxkiLaRu4wUL8X14kTG/SMaajQ4LIP2YfutsyVOhKBiATRyQPPFAl+BnqMJO7qvZuI57trY0ur95xAqGBx3DyF9jaEFSskCqOfj2tTxxW5diIJ9SPewAAdIB5IsgSCWbHdfUMggFxOJdTWn7/Ki9z4R4a2Khdrm95KvGO8+EJxhAbaOR2MTc3YJ13uB92Z/e3Sn7Jq4STcWVaYpbGjOS6dPxaTLN4qOJokXPuKCTdRswSLRA80Y5lvakFYZ++vO3YVc77xBKWakJKKV0geKKtOo/vXQYdQCMxYY2AgpVC4unvccT67tzK6IIW1C/S9cLTTUrd+n7YCN/DSrWgbWYJCzKcfLcY1zjIoVpMP4OGQ+nS54N6R/KoxtxzHPUzRSXm9NFaehrqn2REgwx600ZNIUi8GPmIknne8Zj3NrGGLag5VGGEz2Gjx85E5MNjNU9xBGTZ7vpTrOOeuXwynhe0rDQxMRIJwhbfGqhz89a047iLL75Ai+Sg3yle0/nP4NY9EJc8myiqDxm9hSZBfP4wjtDQiaORhfe7w8QuGyeEyo9QmlxN0BZJ6AgHRb9ZA7KD6AcJL3VL2MYgcrFHIOlPyKN8mUknNHRI+Ojytb9AVVbCa0Z/NCXZ5Jx35MloiaWbalZmH+1KxEwbpK5khsh1wbsYaryldUmV0YkCjCM2oo9pxOzLy0nKAK2z+jLxYqB14wbtsw70OgrzTfzJWBBqDd6GA5oSrSFiIiMnsyeGiblxH8GkQPnH0t7vtgYbCSBGWij45N56Hna1V67TrdO2UzVsFMgG0DQRXlYEgnwELtwwGfy0HbGk5Y41LS7HYVXChPslYqP7/nP/b9R8+iW3zwnWpY41kLxA+f6sw+cfRVWlxLOsYFshxIupICyG3IAdvG9nmsfFgAJ3HFTjRBEqyBUPZTft8vWNPNbEC3ovRKnhaXHCSngNNt7PO8KCsh7zkbMA6EMUfBJXuWqzLuc8eDdAYqHHW38ZemLnH998RAPkGhXFPixg9thsybuFcDLSed4mvsaKaF0tLCH5yImaDDJY9CEGQRkw0QEK1WF+Wo6Sl20hO2L13Oad7aNVw/KoZWsJo8lplnoRYGLeUfdnOLh33ALpMfqJow20t5DtbFREttNOmqmWVNyb78HSzuwygDsBAomjFzttekRgwcUYk/M5Q6h2NxLZAvpM0lA9saRIGnIbEmkI0UQ7jXCyhA333nhiYq8n7E2crl+bbVA3Il3dhYSN1nwYbie5mHZkJr+InTbB1fiLXpATM7CFZhpSr6NjPsojoqdBuWssCPrd6SlQz0w+/ZoaOuF3ZUMsdS66CZcn6D0V6shHCHYMcIFnKAJFFzCQPT9sJPXeB84NwjMQr1U9Yc+8VxOvOBoDdnyt4ohhuzB8HE+7jXQ0c15QFuR8gd09kA3WYFYtg9Vshs6HYAIdQozL1X32F06UiHjhyVu8AuFnELly0Bsb4XjQDds3XqD7XK/DCpsDQf0Tm1/wISwUClG3ybecABao5GiTKAdpn4F2GVNFU32hSuIqgQwl41Pashw5gxREbAi6zDyO+Tr1Ohl3iE8SEsiwe/p3TaSiqnW4+rFRFuT094L2tV4+mAby5v/7oxHrerQQy4U0lN+pis07HvdnoC4ihNzYMhTIDGiQleDlpahGhwxy+yJoQN5nikAKLCe54XAWR652jN5a4ZVGlGQwb35dZDBGqIsWQ0gZspIRsKGNNJ60gcvJaesvh7/xUv07BNLawQ5IYbCIBy0LAqZYsY5oZTn+ZGHD9p9fzuozh/dnCPmJ7o0YCl/wZidShtCFFVZHLIU3qDoelorXieH9nC/c3NJqggctFzLstJbldSFC1hPBhqmjW/E6rEAkm05Dxsm6okJGucxEcBXWkMkT9OBAwwMXrI+u6ws5SgocmI6V9rpBw0Z+tWxKgk3tOO3Q65ZUrZAfB2dYHUQh91SlWwHGUSYFG2SkWU3cLqRhUQDvpO5D45LETKWeuV4pMGAci758ZzrWQeeEbbs93IXGjzUZZOEnzC2RtrDYPYS0HchQWLWqbXFTZacZ7unqHbNbb05owOtYTxJSYd3MI/MMnAiBo7H8GDakjcgc0VOSDZFOijq0YSTNRCjxA5drY+ybZZ0upZzAGmgUVELCaCQk7T1Vrss8A7CNuMZySCDYwnIJG234iB4HdIcGHSE0slHx7h2/63G0cPeD23K7bP/ZDaT+vv8umirX6coCgy81U1LNPINdFj6hhoBkNrRUqQOrQbDWOYwelOLSGVxKA81rWQsQ2OOoLwZh7PyxRMPiffmL3JR0RO3lcnJtJttoFZTUvPnVSk+tukeparEKLNxFRXUgl+pPATuFIL6KjVho/2bn3rdtf32M3v5+TDpZ4PF7zFaWtPOOPG/CjpjCiXCHExq+picqizBWdZQjDWmYp5cKT+3VRKfSN7ARumoE3egVtI+yEf6cZID/sqyJPcu+IjeRw4IQN1zdRk4PicHfc7OgTZ8rTDhE4gMXChkAwf2yXnu03+3D8pra4f73aTTeTUbm2JmUQazbSOKWssBeIA+Wx1llrFOpAeaN80XacmnDXJIb3IlBmrd+7ptb/4t31yaDaEHOWLIamYcoM3OawQxLw6vmGW5eP8FO1QEqrc7AysiuOJ/4JAt133IlTw+Nd+n+Jf5LWjWRf786Ih1RUAcfVpoaRtEZzK9qDURTcVVshBfx5Dq8TeYNQonfkIN+Rn7MYbjTb/noa9pIsWhYwbmG93E7A+MICe8gE2EOE488E0QToUYF2xgYhH2Dd0muRYDAt6GqmomeoIEKYXUmn1P09gw9IyAurkhDS9koUKcggZF8mZnlUc2ppjyCIEgud2zESqA+qt4F2hgKbbvgYQBE8TpC7OYTYhmv41LthFrlI2zkeqCztwdlWBnWn3iw91/FzjgKdyBqtFH/msqDd0YjSCwkgAXiuVChMmslo27KbiPG65BO8rN6lbecGASFGOLLeHBDTZt4PO39pz6qTSEYZk85q4pvn8UCSZfjUY8Y6PA5zYSST+C9ERoOutqsjIVWbzkRl6taAnAR655OZ8LxtPc/98OB+KiqinW4n4UenyYn4nWlfPsKlZAytYpRXztOn3zGVSMfRcrfHlgX7k21EmqHcDnxKF4H1hE+SgvmI1DLj5WSlL11On0F+syZZlmcUnVceKo8T492p+a6/OiVHtpJM47AOlQM52jKfftLTJxSDa+DLiApsDS7EtpIWEC2VsFDGXbOjm45xJkgKsCLgUQ7HI99E0qq3eh/AHtYqFunbCSd1UAsJ68y83BOVbqQpbGhEA9LGOGHFrCWeSc5g5MAOffAQl4IK9xkE+2tfVBL4E4/OenS6458JAdS7B7ZbeZRT2cYhatwzaVMOWEngvXdXY6+H7DbIjRwPMxEhHRjXritE8n6tLzAFkuvO/IRcjjXsHjqzNtNNONIZHBRkRu8PT4dOgUu/7k5ghAbpcFslIx0dAhBm5BxLT5/uu8fW6g3N7CLjSjFYAwWXHFdzTXt8OkMkK1dOR9cy+3xJQuR8ngTGDIAADY9NFWXITMLMvdlXk5XWS7LuByKatmIzxA2cblBg+ZWE5YPaqrNTgSr2TGNOqRtCt4IcEvY+JxXt5COJSWO7phIiFevYyHXYaFx6xacbVdSHdlo6p63eN0ZGdr4QejVIDUi1E2EIqxcZ8+8fC4SVxkoL0Qs2Lfs7nXh4mgj4sh8tNbtdcJ98WHUMi+OnZt5Rz0ThAByczkpyNGZDOLreFxQBp6wgBML6Yo9kK4yJGlGZPgPVZa31yGOCqfzE0aSM2umAq7C3DDC6xQyMggJukmHCB+0BsddSCGOd8rCc3aGzogjcC4DDQ2n+vhtJx0tVFKvRpE3M+CGqoXeWAl2ZCjNNdGDMzzZyBaFjWaq23ELX2xELwXewAoeZgo4JJaozF/OvGS/HB1A6+bR9o/2oALshH7i4blTS9hDC1I0IXIsJFBROCdCCkxYs4Ene/oIgWGdFkN5SLy10w/Le3ISceSgEz8gdPNGK5YXEe/mTkBiI1bgO7Hk1J8PDhW5w84MI3uqASefzVb0Wyvlpbz2oPr1e7cvlOO28HQn3AtFqHoTXC1eMoUkV2ayjVI/PMWS2gksAeXRL2khq1gU8FKJo7aVfUhE/L04337Zf+7c8rYbJ9veCj7Sm1ixkoQRooqRJtvoHNsobJmYiiw4AwBdEDlO8biodpVr/Tv2WWKh9C7XK7cYdERjubJsIa0NG40f5su8Td1U3lIfJRmlGQvnHmRBolx0wZDf4N/2LMW7AQoHOABiJ7yIZ4KQ6Jp3/+X33B79I+cNNuMoyXqyjfDrxFGwLpwbyipg74SSb40RQqkqqlWgoT2AQa/bXTKEh5zWjf+NjcqqdY1bFmgjMWj99+IIHAJpHRSUQ+JwSvjAXHqwNmNPapBaqI2x/AeCjx6fcfGGk7K2jnoWU/6uC1yIbEQO9Kux0VTqXXOq6U/UGE2kbqGOys+xpCQjl6OFiBf7qB7hDCyKMZXtciEvmZP65bCYapZGlkf8OscFrSZY0sxJYtE7AVTkLmFlw6+q8wSSyUjSsFaSbQ+iqsbgeaEBrdePpqZ64qZCkmy+szcfUoU/oCuJDQEZLDvv+KKJDNYkpfCHYAN9I9fE7+YEytmw0EFfBjBk3Kkv7MLdvR102s/c2qQ2VI1JJ8u+qvfidpNtRC7COI1ZJMe9qzwqmaF/aNVf5h817OTAowtpAYdKR4QS+2HZ2kIa6HGEieyzNJ+hEUlVFuR1mW8jiWkYQyIqRZKQR7IlOZF9dqgd9KflIzU5S2paKcCgFNkX0LGBya28UNAbmfirxDvExC8mRcdfpx1fKIMyi295ZFmE6JCazZ6ywwzLkE2q28J7O3ISH9wj1q/JK3gcp8PHpHW2y8ezaFi3JhfvSpGddnAfSLBB3hAeLgzg3Cw1EzWuDHdZq9tygLZLomYD+cjC3ESHbeVsEev56G3smtgXH7slcO8W9gMZ9mkPZvDIfSBLNwkPJ5/WuDeZKWkow7dWtJtx0OTfWVdmVI2RvroLuyXqvlvvr5GC+qc1X5ehoOKveu7sim9MeAN3KY+IKBcjDap3KiRmU5Od6GLuw0LjDaRjNPzauIkvQvGydxspNDSugPcLIiVgUZpLsqm565F7k1zFAigDaJ2dDXAIMxEftQ9XdnWk5khFvkYt6W4pEcud0hdsQkIiad/+ZD1NAIcADxL0OJkpB9yb1APISeh0fzp+pCkHIHFDi1i7E4XXQanheGyZ4B+GCDTNHWLn/Xz9qncJ35eT68HhKCd46fFCM4/MnMTxpHXJqOj45iVRjwpikQKBcmnyMYx2WCkFQmWat069veEEQyf/Ec35kf26BBoiW5SVBszMO6IzyBnO2Wew2qhwpBOkQxmOHWXjq8AXReiXc6k5p/17eyGesNFy/S0WsuHxNXzBis/RrbLR84t8/ojOYPEaIwl8anUtqr7RBJ8jEY3hukc2ykf9z1qCoPwAH7ld3H75WSbiuv3pgtQgF2c0wIXp0FAzJ9RBLISrjP9BHbRXeSFlRc0zRH88XM5PvfKcpr2Jtt3JsGyIrTjypC/RvTNklBkNTRTmPu34QrKgHQfVVpIiv2I4rQRjCOJBGuh3bWMXHzYbQT3iiDK248tKCbuyt7fbKHpdOx5LTKVrTXRQhsk1LEGThjIJFkejxFNqoFjarJHIHDTLy0BYzAGHQNXxxnq2M0XEiQX1fHT9g02kqWG5YZCpKOQbrCPAtvbffz2pTx3utVwGmVt8lAG0GzOt9vq0EavLu5wOB8Th/DDehHC4RVPZUsK6/Hn0jx736lSyNa8lkibeyqCxoogMsLrc8c05riqV+L1kKMkC+ARZwNtKTyhIIIhAEMGOuxIiMpDN1ms9Go0+36t+IL0ngY96b1unjjPQtYxY5zznauRCsKVzsKCoqVxO2Hfcj5UioRTSjWTEvxeS6+qsB1LD5d0evxF0xw/IWHxQ+JYG+cSkicfYs8wZPHgCV9P6AXc0H7Eu97gYQUHdhNF4pfCbLbAPoDDV0Y8I+ZSTf+p0ZFngbsflhMHJWpByQgCvylk8p9ZGPaHIVfvL3UeVpfxvYQSxu2Okfqw3B510swj5/eP2h4vmA8HmanS8yXFkSgWAOPvQ7k3ZmKTBJ/I66zMn0gS7p0riwARXiQKxNO6MdmJUtb8wd5yIzMBQuykraiAFSrLv3ISE15mJqFoMJJORpQWw1xJH3isozWBIHpWEq8rK3AkraSBj7a+c8Z3szAvpWwRSPTqa1QgMtjex+Mydlgd6g9rOOEW0w8kzo1pxdBJwIahtrKUE8OINWgn22q3w5o2BthOiiyzbYFoG1plfs1ANPVdm6HG0OxtGFMXZrGSD3f0bZlpMhZ+kU/68loPUZTni+3J5d4D9zva9ggXXLdZVjWRXylicLDM0n38EWKPQDEUowxnJr/IgTEUCgivUQNqgqUck8U9LDh5tudNjYvLCGLJp2dY/CVcpIJB+CzaYk2YeeRY2WbbasOmtGD42YoJ1C9aBtEY5yWzQk5Uibp0Y3tp/bl/dBlLb+I4blm9/iPABHtWFUAZ54rzDvZb8inuk4UQTX8huvpQQ2MlED8OL3+F6sZQfXBTTjdztdRFKHH4lhDJLTOPFrJXX2Y0kzT3X7b7kznmw7kG5U8rGRooOI5YAO64q6NCMgZgJYSufoW/d2pXgF8ApTdxWjtv9yb8FcCvDaM95qZnHF3sIe4bR9DVNRVmtjWwgEUubNym2CnDc6e/WicNJh86XizeVx+yYKU7XY+oPnKFSH4CeoqRNvUVVC9bRyab5ylnYqOBTMhN2ErXlNTJQMhIL21QaHhd4CQ3q379B02wsd7ShJtLp+g8uaqr5saa4FWiYecPbVlhHrJr6ADyvpOdv1SdqW+UlB7m6kvQL8Y43LASz5lVQLU50ksLr+F15FI1tCdxXioi5J2uqWMgkq3yCRiL7bgw2EUxaq1oTpeCrPYrb+Rj0JTTQi0/cPv4cKf/9+UFieQY7TET7gziko+TZeceoj2iMW+0BSlZ5msfJv8QUwJzi1VNgIcM2+hHJh6TVbfRGxQHefedhb5mwa8NG8bt0J7gms6EhPT7GzYGGdF2xF5WS5qEmsBurhVSCcBfx7nA79x9F++ahLWnxrfvt7ZpYafC6Rxxt9dVyu9lxhBTELwLvBL5VnY5VEUr4nuLNCjBI6sib6Ys9ga+oAOQhhGyOEy3u0Hvq8Q0bkdwIpjL35PrI+jncmyRrSb6g02ElvM9cGN2bxJOdOvr/3zxGVFghP1wgdRPaaA3JQq8bcaTPoZVZxM5PSHVXEDI85TkFn3okealIwzJ07xoVXByosUhqhXVjH98NNrB8xWHV8r9fpdj8GA0kliOyAt6bRex0YOhxdOOXVK2Hm0Uy9tk6koZVy2VGO8VR9SCAvFpU4ggliMv/1k+S/7+vPy72wgLg7I61vNgDjMlGFJO/ntSnDu9sGbNYnztYxTRgdsPmGdiZ+Y6i6lyGl7ZQOwBuecTn/aW+X2lZwoMgWLWc3N/bSIpsUmvq73MLpOOJt4eNSi2OjUj8GCZwh6JKz2JjGqPJ7I4Um7H8vg7QRXWre/FvV6LT+bpl/6nPsazIJsmw/ZPffz2pTx3jzpZPNmI9Rb1twLowu0dlIJiQfqfPHXFkj4/zxCND5/9zoWMN9uF9F0ylkfhCZdiOER+/ntSnDpBBHhTOoKmkRM3dsCItvViRIE0lT4MPDwsZR45odB8CjG2Vr72alZPqnslHGMmLRArIN86T66N4GVQIYAtBgdPJ6jKjan3nnp3ggRJ+XKbQrhnrLGrf7hbzaZVjGuOIcYa6Tz6/IEl2XJmpW1uqhi079VVY+EGDis1lKeIdEEySVVQtsZgjfy8sDbRb3xDNqzy61HLo/z/uky/E5B1TczfFeUee4evWCdt75CTxwSCKrQyOM8yHzStGEsYa1hmC2+5Q/mm78PNGIxv6Fu9Zzre/lY02gDR4x9vk7UfxuujEGkjamvDJ/rDQhtXwKr8vqxy4UCoDY8Rw1esNnkGVdd/WXsPyowgNVBvyCewJ0oR8HElg0mE10XCrMYC7GD4CuZKdvbDQBf7SQJnuLGTwdcySBMlpe/2JiTqvshMNJEQp3v4KgTSjJxsdsTjx8M4tD8kE3irtYdoOG3ElFcAlqnx1s6a1NdFGEHlgH2eMv0rr6E20b4kV3vs/8D4z0qrYYIadr0CyEjwk1hlxpFbSMrEB9JlljmaY+u6wznHgVzTRV2zEVepXwpETd7cAC2JQww31Ye2jdDHz8J5OhKtRpKmwEaGj4QQ2sqH7Qkyx6TY+ZyReyOBnVfftK82nTN5mszyodzxbh9QrVfWyxPlmHrmnk3e2zHRnVa3OqFrDmpK4pEiQOJt1YTZKlNNBGZx24uKv6xu52Tuk9H+XuNVX/be7GUCOXc3k9YDeLmNJBKk+cmUzowrikVERqQGFGuKSEIFWZaJRwlJA9UwF8AXrzpvcO0LxeLaOlkRhyq0B/jfn/exhHAkHVkeEjl2KLToDLsiv1nYHZ+AsBkqNxdzIUAt/O7QG1vV/vRem9WNhb4tGIg4tJ/4F3QSvC2RH/S4buTi1H3l4mcg5JzlDIrqu8AO+3deybD7xlTDCZAhm/FxfxvVenAExmZBNfp1clON14FAqiijEwJsqQ2xEJBNQEG6DiLV48jGSZso+y5WH6zSmVncG2DuEvzRQNIrdqytMGEmsytBzhRO4N20d0C2hVFo3KkNsJB6s6VYoARFX7vjIelxKJr4pJvgSzwdwmnj7qI2JgBzD35avqcqHiSZvqJIFyQzUBhQaIkFqJaACCsR2Dprgniu4oHs9malVgsWMFx7gu6l8v241L9gY0/lLCyHjC0GhqZPvf1TcWwvhB3IfpoTKSqv3OtFIVJziXXMZjtkmlpKLTLBg3e3nq1tPcVYUh82CD1oVsRiKcDaVSxnm20idpIhqoxZayICSbhEOSGA5uRMXaxEfkh8LF46sD4wvX9/cJk+OWy895CKr7px6CQ1YyViSfU+3kUVeiCrGIpr0viqRFO5uWE3xnfioTmyQ+xm+wQetfcO6FH4fNG+inDgXlPLI4sRLwtt0G9E3IogFPTI9djGOsJEED7M4JKPaEG+LmVxYlmOPT2WcAsU7COyvW8Iot/7/hncaSBYneqQ2n3rkXjQW5QEG/NvbS0UKoh2mWbiuNRgks6sGRS2q/E6BCxVyy33y/4SOmmGht5IGu4j8iOybVD1XZrCGPR0UCFljSF0YLESB5eJNDgZxHkxwtWM1dQjMaSp5s1xstH8rrKPi2/6oKMJA2MheYaw98RC9w1IxEjo+Eoow178CVpTf2UnZXFTBgpe4EpIpiWuPF4uR2IitEvcYqX/ROVUXtdaURuD7l1P65EENi2OoawkRqf+wD6UsYiHl880iT4k1I5C2WwofSvYGl6E/P/nfapdMPTqPaqVXM5BgPFYyjtb5Fd8ypK2z2QiiQP1nNgpjsCiHni7++jVdJE1VOFetZTNs/+JL7kSTJ16pBd3NWDUDCXayRjWYNr/ii67lO1UMeof1n7zhTktip28iE4MwGNOPODr+ZjkIdNvp/G6dSOPmLAFC2uJ3fZOnVlVukYWRJjvdMV+HumWiDVmVmJmYSEKpkWggbdYWNXrbjKfDUmlN9Br2dc1wdDfCaeEtOfaxw5eFoRslGOdjHSJ1SIMlrMs6i3RQBUSIpFeog8KJ9a38e+C31Fu2inr1JpJ0JnTuxAFKuBKnbLXSQPYMTEUBhrlyXZT8TOHja1mMQyfUr6yFUMI2Z+PHEIppLBziNBIbIMLS3Ssg3707Umct0Zf+I/axZ0Bglo3+fkKfPlDyWQQSgc0VJ7j4nbUdaSOUmNIA8YZ4Urjt3w90gKfmMYSsB9Gk2yhexxt7xGIlVs+H2Gjykr6kJUFCupvOs8NFdURFR3IndrteG0iCdNb0hA0FeTz7gzDyipwWvK5R90nooHdUXqTVUR9NhgbmgnAQavFQLk4EluoEJE0TmQOJyAS8CeRgxLBQe0pJJOu3K7qJN4Tp/gYG9B9YaLZkTXQOdet/JcESRyyDAimLWtz1Wb8VQwXs4OCNhdiLKV8p+6QVdrJk6v77+nLmx86sYl/GExNtiFnEkoAy2/ZvxRGu5i8z9cnzlsiP2MgBO5B8Q12suTo7LYd9BLliQT2Orh8b3Na73lpM1F7LgwNZwz6wbvKSjjtbcvIWfA42bGwrgOzBULGRwjcx5FK40px/oug4HEnrcaTu3eS8LMWE1By7M5pwZzXAfyeOrCZgPRVQsKHsCgPNIwxJgawmnDkp1gCoHenVQIqZIIb4Xf9vr4dex4CDInGEhn79zLL/ho2CczStElASoJQTKCaAthv5bPhA+lS4MM5Ir6tsTp5jIImSSEGE3+iVH7clTqV/YF1f0Nxx7/I6KIvCXHrm+biU2A3WaSKRIY4y5k38EMu4lm6nV6YZ4IBYmuhsZh/+h7xuUTwRdfj/cx+51YrXhQFx7mIDlqEmxzrZp1LPTGRNYULOmyQbDbfLsrbTG88qd7oOk7Ea4IwHOoV6uyZSda7O7BsglRbkKDFrgq9imegmCzUSAH4W6YRtmRDnYm/iiKPUrhDV1ys3U+359dCvWNS+ZMdyUhJW8lt8d+5GEPIRp451JOCRvsEErIRrALTKP2gMkR2TmpKMMFMrZgcb0D7ORt9tzdw9bRuxRb15weWQVSffCxuvc1CwpCBzUdoTzf3KkAb+xksywl4d2YboW8BbZtJo3VbfJBcShv/HqWtevrEzUeyWLVAMupz+EnNHTph0Sn0UM1GPL9kHK+ZRZEfBg1N3s5CYKGjOdePogl5rVMa97+33v1SW6YItt/cgot+1KJcEYyGcDrycvbWFHh+OpmR3U2egasVG2IbWFpBHFJF+FBe8svzL5cRADjKEgK/+PNS7M5HRDutOtw4buX5hh1eYnY7otqTtj51Si1ULKaiA6kBt3vQ2OEPJdrWcduQkbsaHKNJ/AmULjivBKgDgvhKxEV+jq3QS/hXSZx5fyEHGkjiX0g+wALjDjQygFhrEIBocFtNAwQ2oAd/nlLhvgDPwDZzLRylhvadbaooQYxIsS3Jcd+JBj495fGWfaEHhDFRJoEPVfJQ5MFcIUZkmuwR8K827n23/6sXN9T4TpPjCaaHgSzLSStiFMrKwYepRLIiLWPNbKEI8nBZIoqiQd5uT5Knpw1ZvjC+wOrgCn/UXOl/euJOBQxJyVJX8vjK28bEoXFuvyyyY0DHzCAuywFMqBihkb5Z+UVXTPVIDIielPhrSql5XL0bq7GdZYt1iKHGB+pL3hW18ON2ZVIRfp2lZQDjvUFOtX3SyDnOa3bVkvi5zxfjIGewmM5lIaz3jIGA0Fe3/emzL6/5zh3MbS2zjM80mx8piNdFkaChNlZpPeAAoDCidItN1Tj7uMgdLpEB0rQffG8DdMN1GtNlX3n4sX4VuZk64GiF2rAn8W5II4A8zj6GpOjiDdQTyTe6tKyIrAg9UaUmMC5f8CKEAd2Edu/1WbvXGrjeaE1Z8UbfWP5vqt1mcl0Bcmh9Gh6YqQYC1glBYLeybkIL7pIKN8qhO1yo98pZXwnmgs50a6JwdHi4gtht8S+Hih0gQK7EEqs8Po+LeMG8nigFeGDciA8yIhWTKaSRW905k7uTZTIM2UECo40udLj8gjUlIUU6qmsD1UsHO701UGR6Bi7yqh6mrttBUZ6U1jWQ6YQTePZmpdGIwo13R+XgNpExtwCr3b1fNKAk6lBOuSfqC0w7ngkYgkZpIQNR8SUjAXVXRykE4PryB8zTZ14LKQiz7fGOa2ISNxdJsoZgYJd/mNDHgmVVNr2GBoLrHxPEOq9Nx0tijgJMHIZXCwHU4xyATSAIw+NDP+YVk5d1HFxYfbevErTpxODiQ4YSZwr7nbnqruaBUE2MIEqNwJbGOaBDyI+lEyScnPaHduHtd5aSPzQYfCRY8T+T3OGLI0yCyKNdMGGmd+6wgq4lI3vZbRj7SQpx5xEizErYhs94lqk/zgo+7153xu6aKYJVPNmbRxlEe9YaRuHgWfF6Sbe5NQZp7xJ7YAhnPoghnr8kG8hLrUgrR2ajtDgsN6rCTX9fzy5Wr4c1o/vj5X+Mu+Xt7fYvQALZaZBBIvM+eOdFEtlgsz02qMBhogxMntZCdwFF9tCoHIgS6eh1JNfgANdgQGfrL3b+uZ3kdRsqNLRcyhBkOK7mm3/92Qp8+7B+tcLr0k6WQ5qhicYw5IYW0lBGcBo4lJDy9jlQGK8HpuASMBZ3YIoa6qZHe43RQO/uwxlH/89fTy0w4fKY81sBKg39v/Epn9bkjTei3GcghJ/6uPzpd6IIUFIh/e+X2GVaxwnWm0fo1+J4Fac1qLnuRput1ku8hAeGD4i56A0WTnyLXpW1ZQ07lhnyKuao5gSOtl1OPF65MvyI96DWG248638uCuGiitz43+wZIybCQb1sS/jaJHMGVMXROXqqwjxY5pc2AueNNCRLP/EY4SVPdMV6tCW71jRV384O9iZCG2TdACjKQk0ZCWlS91VlFbKiD90HC61VRUlC08jjBDguF1nmfzn7aIAM9zmIMaIHCgvlotzfhK27qEjMPkYGJlySk2EkRiJVA/NeMPAHaCl2VRpSDhp0SSNTk7cUqhAKpe97rlfLbLMv2oygN5GESLFoQ1p7e/b9Fe8T1YiSwjSwkYSHKVYDSHfNUyLNU5drGVym5zoFN5okz8L1fri9qya4KATJKg37AlfGNmfCZx+iI2ZAzIylFGkfjFi6ElcoDayOmpMsCg4YaXscfBgvtXZDTrhdmiTOOdqOxXDa6wcmX5OjZN5UvLQidpHQgeIPpFUczIQF1ZkPVLRHXGY2l3K6WlIICbDup1vVr1G10MhkB5JRHLAdpX6Eh2ahNvklVy57lNZVYBAZbemH9ME6KWTKR4jfglAmlGg5sBXin1Dl2jHTQbnhsBHCfUYtPb0KDLm5notazTe9NyNoWRJ8IkfxKkhBm41lLzGisLPLE2FY8KpVs+d3D6XYK3csHQGlSu71C32R2+1LPu93BcGqXsaZ1em9CCxEoFkrFGkg9JqQ99651KL9iSEdDvBtANzhDYHn9LwVVHg+7sIcqCL/w/1ySdurXDUfImp7J1ISj+rBLNSeSlYBtExK5lBNsyKrJsJhHPbWNhBQDOXQCu1sh8/bKZXsOaCAGHZt1rJMqu7qmucfow26gNxKQFA/oJiGJf1islgUwQEe10N9ZA/URfgcDvdc0GltiazPsUcJyvbSPzCovMvWoPiysOwokFSwFgQnJDpJSkMsyxyZ+RDpf4QilzHy/JkZuMFXaYsMICwMaA77xOhLCv2AiuHeAbmzGvsFWi9hR6YlxDuYr7a8qXAB45aKyksvpr7ddcTv7YU29zg2+3VDtazldq4BTRw9qTj2iqUKyU05YhId8U+ZEbKjJTp0frgAANMNgYAMR09R+vl/Vg9D7TmCbInFf1PrzAIb+2jQNXU4ZeuKR+wVZHUEPWB3mGeQbMkE+Rf8hwzIcjSPx92Ef0JrDREPoUb/SXOc5NMgNiFtp8YndFv4YByPNt9GhZzmfakJSogv5JiuBfMAC5okm599j7GR9wrqUwyyduuNVnFDcypzToHXFF1xOTDzxGPdTtSHmqKrEGwy3jAjWRU/1NEkwAp1jJw8WhHjFDzgquTmk8fayOtPZrWR5xGIc3eOlILy8UF5j4lEdMVZC8rAnwSy+1tmk3yyChUWsQ93nLLi2Wct4KfCbbYa7FV9f1/pxv8vq4AxnpG9sxPXKQIOMYfaCko/q1vhRGsK0MUYs5HdZmDbCTGQlr60Ok2VJUyknAAAoVX+5y3bCQsDIsvN8wcJuUy8JSWyY7HRy75300aIHcQ2t+tCGjCJl+8VZ/Jvv4PdgDYffpUJCnaRIXAzL/vXwbn7mOwYPWVVDa8qT803UvqRuFe3uiAkLuMAZxdmV75csq0WugzHQ9nvEUF6KpbidEuatnYU3EIBvF7/fq6tjYOK9kx/11r4EF258lGkTNlzgNCwX5fvHcJDzToHt3bW4pBokJnutv10hP/wnsFqtIVn0TQtFbMBOLJRXmr7Dl19C+tnVghQbUrEKeuzdg4c73eDECR8sYR8JNkK+oQSRlTRwQfo35anp8JWFsh6MJEGajd2FdTESNlrVwDURFSuW2SnYbeuZWDkLS9iyUL0ORA3Cxho27zYBTLyFL9xxQGtYktHdHBus+zfiSAFScEgvlo9VlUtfQS0YN+tjKdUWM6s+gCFv/Wu/X1FQvfz9krxaR2AP7xYUznBy8cG6+VAHZ4h2UmxodX4CE4HBfAKvy7R39ZCo2SPr12u4HH3O1gYXKHKMNip+4GbYGEm1bjviaPKhpkoFUWzIjCQHcuJE4JZ7w4giA6012cBC2mEh4Juzvex1D7HT8pV6T6TztCVAWZSaajjDv7BTXupTVEiyWnYBwAUJwC9YxxUVt48QitsdTLUvymemgix3n8cQmQHZ+0dxhtCgqM4uyVw474jOEB5EJWsF63pEB9MSWlVhncI3uN0yeRYTMXLqslbb46qTFKiXcq4G6/lenAHrkJy4PFrJ/z3v+NLM4GmUY52Sv23ukVjMr9mbKLNTUE1CGiZKJDkxeLpQO929DaTfWaPXLejh4QxRGXZJiLYuC8866JVbFrEsKj/bR6jwnJcyx83pR7wE4gJbpY30iCFfh9Na0OwubydaYj0fdXhLFSyeba8gnOnVqtyOLf/Z7DbxgNcF6WrfBOouaQlbpaQFu6Xe6KSap1SuRFOsBIJRNa0/kSWKv39lncUZ1rRhQ+sw0YC6uiTTDjIstRCBFJZtRHFxy0a4vTmJ5RQDD9K1XOQ6ZNQbt1NVulT/ozaSe/fj9UHrbnxpaCrV2Jh2jPvk5x2rJKLCn5sDkJlckq6qQx5INyzkOUVpuKxvKyPsTYH7vZ825LeDAiNCg9ZZ7kkZuDazvU5fSDay4+8+t5jHfwEXa7Bc8xBHuuK9/I1ISE6CK/y8KAopkX29ugs7E9JSBuOIP0J3TA2HmHmMDCvxRhSq6a09q6MDi94VubAVbg+poT3MhJ1Ai6/XmBSlIrBsHDl4e9go9Z5u92/YyOd/2N+D3vDrjKEMdKLioQBxy3ulIPAu5d54rzc11Y1Hz2RTOZm7HdN1rqZshEfySqF2FWXzjignodxn12JZrq8tNsxlApQ5J4u9vON3T8iQCqlb7bL9JA95nxNzaN0ZbT9fxfdg6MKLJcH+C/komArlRqvL1hzYJZi34Wxsycv2D5jqAG0SqcvRNAFvO/271Z7bW+i8YKVuo/ZidTviSKdDrWBRs71uSfNqcG+rCTAOlDUxwRgcyM/7GNIYhGF4nWYydPr3sVE/5StGyMjJh8IJS3JNVGLYCL+djQyYJWinkp/G5ZJOH4l1SEIKQfgX51JrGjbS59AdQBFGuwq/ew4agfJbKBBL4ju4JjYSOP92Qp8+ctfEEUxnWbH53k6fUlAkIYUgApoLy2A+JmI5zVREMEAZeIbY3aTVX/fy5nKw1H9siLVUfDDVTVVG4Pz7GX328I582iSdI6IIborNyLVqQfXROi9t2BFIhXbJr7QvrtWA5r6WlyvLyXadiz8BCWpcQfIAvsyCZ9uIEraM5LsAASDdSwFn4tO5JTvMdijuyqlHND2Iw+m3y5sG9GYGAWfb/35fXOAviJVI6NvsOBpUQb3kBjQJ27BveHP6cenukW/Nmhmjec5Gaw00nDtNwJRSxEEZ0BrelOtioj1DNLEQFHbqkefDNkBNsKspGgwnImTfRPaCVA9JpirmBh62QyNWaGBHufn19K1XEyf7R/vyeksJW1LDGgXSVDBbr6MCiix8410+pMvk3v8ELhwIfkrSJZI1D75SSbY04pyo0IjP7vd3a9j0j9r5YEC75V6l1zZfU12g2sQNlQT2oJrgE0cfqeLgX9n65s0xtpBUL+9TOrobVAvz69K6jjcXbtWSSkhJVfPIyZ3kBe54oek2Gjg3bLSPTUdodulLOHzi4hQZiqRmDS6nXqwXExgBmsqP9jjqgViBlOxKDDlXtfLT+u38ydtoqqnNPXfSEXFMGCUHOXDCWphjyjvhP8okTkyV+Ey6tHvRPXZ77byV5oBn/yqpM4aaZgrQ/Rs2giVon7qFGM5my9wwgieoNdYu34N8m/QHV7V8Na+QR03A/TWuOVlQui1vSUa1KEbrSjiZbyOrcH0rgeQ/K9EOG/mXKsODfLfhcZxvvdhtFfzkqbflsnLzcnNS50O2EgUGKsOGTyeMuBvzzCN7W9whNkaClnE7msNG8L2oDI88pMc9QqhhqfNGyejCb7Qm+EnUxx5KUAdTrFqdr4vbkZJmTwwCCw2mraRFALGQ9I+qSu+/GAqO5JAk61q8wDoeRxyvn+1tizDWjXpdL0onIMP641GV72rrejI2mh5HJxRB2Z2gZ0Sh7cZMSnXURl55vM/5aKU5jgF15XigG5OQ3Ey1l388yqBU4tdHVU4VRQT5QS155pG9LSmPTExG1B3ko86JVKeFbJIPoLtRMxhEiaSmlW49yv9UR2KzznZ9BUzUTZbdgcG8Uz+IF/zP+VOdLqNYHeeujU5QhhVaib1WVQ4AjvxaWJb3ggdYENB9cacOtcRNlYH+WCZVv1UQ6Xf4BIZ3XfOxrtujSiMfZlA2WtI2yk1BlOocJUm3/MAGX0LCENy7cgNVF95f6/X2k4q+AQFO11UQYaFdChjCO9tG1W1RV0j3qLCuje3/h1RHFuG62lzOqp5AnCR72a7p8DF3e2dHBPHkL3pNKpJ3ayFNxOvNtlFLtyVNcpDcqjWtFnnpwX7ieXfTkTBVOdYDrGN9F/KO8+vn9QpuQ7H5+v848msGTrwuvsL0fMQpqDLI4ZKZ0oi1iD3zZXmlngfg4VhNbhrj8DpCNxccFQLo6D//+3UH8ON1UIssqpmSyuLbv5CPcBNVBlT8hBF5MorJDp9UWkWIjMMNCZKZwEAd6d8P69uF1SgE7dm3PJzuPZjwqPj83y7qcTYzDvaVQ719XxS2WIqEQUds0cDpJVA7JaBEhQqiVsmIDy8YaUP+hwX9yfLHCOTv/oiOZzOM93DVJ9ox4/gSC6Wvt0MfiYI0y+8wfm5XEnMJ4oV1lYf8MA6pwIVtb+6GdVtwt+RibyK1EjaS5I9GrK/xdDoTji9pS/gOe2hVC2U7i5VERlDWTDZwBgvX9ak64iqHBb3fflobAd6SJ6fRWNSVaiJYJ2tYk2RBzNnKyWi8kmgdV8de4aubrVl6/erDXHNVYnv/exwuS6pSYv12/sq8IBXsxn/NLFr/dp5PVeS7PK7CaLpKjCOMGhZ5VXbHQFxQHNcQ6/i8QKIMpLs8oiCiyU/0RSe38lzi9MPOWEcLEbYY1I5HbDQ7jlhOalixjouYTjkmCuGmTCDPi3EyIAukOpWtpKA7I/kfNxciw22XK9fGnzldsU9j3foAn0aAnL2gcO+GvpES1ruTKAcxDWxMiQpO0riQ4gwHc2gH8e6n/21FMmKqc9u/fbQ8kbjH0e9ln0QSeU6gi5Gez+fzh9zb/BOdYQXdFL+lDZgLLi1OpCAf4F2BNK6xpOGyb7b4uCpt/30nRASHFZ0WcNAJnDvh2lRhPvWQez/uRAP/qZocGg5gVE+WxHSKDKSBajkHfEsaOiGlxUcSOC0LT2OoasJ7Emc5+oOZqmw0W8lnJcQQWCcFh5GGDIF3uLuDj+z6UoEEIIoLPWJgsAakIIjGdrqvPzoPb1VNuAU7fME2Fas3Ha0lPM873D1K2RL7mFtZDOWRvMH23inbHJSuava2aaFW+G050Sukr1d4oKzhZYXMGUV3bMRQrjbSUhuiqt47PcMKB210+SAOfg5ewBtIK7ukG84al0OpIzMdEO6i6J9f/rSAlTWsbJVPirUmVwzCRuQ93KGQ7mHoOYd7W4h/kivWMb8mPRFHCjcZT7M9ca9OSdJsRZI+x5evrzs6/517aNCaWKsNu/8ZAxXY+Rrmo3/DRsBB8Tp5t+yO4KF5SYbd0jIV6sQ5iF2dS72NErYHzps1+92NCfLrtGH/2A4pyJIcvyAf/StY582C7FwaSPibE8Th3ytWErzUgoAFHMVhbz5/BoetA9r3lc293UYLqhm+GqzzQ2xkIwfuwYr/DayLsCWCEz94eenE4d+p/Rj93aDLNjAhrlRth99lHv+yLj+o7Veuyx9L6xWfuN8vxw8NVHHEIvA9L0mbjnWuB7wm7bg8EscYCrLB3FS9UbtMSAUQmVtvAkP8jk3vmJGFdyhYeyDVRr5LqHcAPDWsaCM0TH6upTUs7JrfFMCrQTTXoli8oHqne1foBHDH3/jMY6fZfyHgaML2pfxnu/IfiSAyFZCniQCSfsWaTT5d+Ol8Pn/AvTVPxoglDtmv5lqwThoodsvhQUmylZIOcNBM3CsMxkBrub8cz3MiE6yIW1XvLSRWra43ii9zNy3XDl8FLYgDgSt6w/EW5kkXZRNNNKDudogMfhj7Jk6v74yZEHeYulkdGf91I5qnRenWW7Bu7g2DsustJ2A+0kasDBt5+yy5N16fui8pxLAxirbMbYEN7ffOVbuRAO8eOlZHufM/ONHGohrJKzKzbjcX7JzdKnEL8i2zgzPfmMQ4ij7Ai0zv1EmkoALwJ6db21/rm8zCsrzjBMipd21/uvkgXJVXF7nL7X49p88d444TzJMuxRUcMSVrUJiTklwPS7i7ny/1HmxTS41oOm2XrSPDWvJWFlwDDf+NZsegDCclVWdXfKVfz+lzh1gHl2uZBrJNHrULCymvblhxRI8+p32KNfTPRhG7XhfQnR4fhEBpyxNe3h6UgUAijIA7bTT5QK9DNwGvWVtUIKzGMrARNvMfAAUYd3dxWUp5DOeIH728r9yyxUvQUnc7pso2kGQkF4XBWU5sNFn4Dq+jDq/poKhAfN6k0EBSeJ2EwaKP5SiePAUSQ6rcm0ENDDe9tGue2tLfPygkRTp9mQjVLb0wk5sT2X+EUieVw1hoJJIiruTCnjzsx2BtLUY9quD7EUYdw39eNjyT/tF9/9leaeOAjtRKsRDosFoZ2pbShycPBmX/EXkcsmA1gXmyrYWcCxZ4k3k+/aWCLbSrl1q2r9eV+RhLpOUru482yPdt+bDgMIhEBxTVlgvS318fpzPhsOJLw6WHEtfPheB6coYGWd2Ti0AECrlKI0/mSZJdr/bD/Kl7pwkXanKp94XZkwCdEL7icISlLzTdRmMU7SQVQiUAyOmaNGvY6FtUnTET+UZQwDz6nW7U42FbPjA5mRmu8+7cqibsJx1+Byde9G1+pNY09WDyVm83ZAUGoFuySuZgBMDyFUkV5qqmKtZRtMbvghL9wwmRxZtNnF/aV4muNawaMStnTVwaEl4SwQZ5mHkweRsd35A1ndsxL9EttTnL2FkIrM96gS88IV3UoOu3HvGs+Uyp8R9ycMa9YW4PmViJ6eYlEOwgSPMOdW9r8iiozrErbrEq8A/KkNkxElFZKJL+cyjBgi5v9AE31NhzDyMck2Kotd+sJYIMEFXW2sKQZjtddG88j5WoBGV7gUWRPLx2VwF6EjHog8Gk0zzZad2ufwj23nXr9bqf7fvzQ0ygFE8V7NS2GBfloswlqureblmmiSB7qO3XBC6qCW4vr9Nq8oFaSn1Y9T+IwHfOmPKNp7697Pf3BcorMnzgc1lNoYx6hfhyntuIrR7fwyxUafnHht1IRBjHbhhzqqusztg5PnCy5MwfYJpSkJfihXSQX/OiXpxiArAJS3JV6+TBoCMf6Xtney6kIgyHB5JnS1Wl5U/jrjFZKwBwuk9Ot5wvfl0A+XlrH2ZXTpsBjdswkiqGVLJ4L6XvvCP56FhW7TQAFWIj6UKpqp6IcURfwkjicDlk2AtVz27U3PriLuSFcAatEN7NmnDN0uv473PblrkP5LGskZngRcIC6VWvN3xKg9yKehPXZSWeI+bUAp9Yz39cCchwBn/VKGBDhfyfxtLkI/eBvJPqMdLG53TmKJMECTApG8tXLqtpNclxgF0dPZBgQc1B4n4RXi6ima2JIqNWEyF10fEeF2fe8cX1sCrtIoRXj7wTCIGcIFI4IaKCdIS2C9Pjkl77cWGaAU533pbLtVfoXCoGBn2+JdlVUqdeB6EXvmdb6XjqVvAtOlC6ZNbkpicshMup3oN0DtQc6C2r68flbdm45Z1PVYOp8pMODL6Cfjpdaj5ykFVX8G7q4T0G1Yd3W7FePQHCmrx6YVSyrCH1K3wtDvOAOpDh2r6iBG3el3jdLle28kl1WMlIsdgTGZ2lmJJ+OaPPHtxjMCBXSSgd2AydLEQOlxfnG7AQ0XvE0bjAWmld8F6GTXYLWgLSLhK3ehQQWBRS9EMN2mY/SAwFkrpcCrZZKJ29RYM9/MhAcDuRG4ez5FM8BCr+lo8u2ztswV7G1q6/p1yAe39dBPLYCOjEE7QS12Y2U0XJl3lbE1XoOknMeaGBwO0sJSgqHKQhoBgO8BIPM72+cQE0Usc6duqQXjcWzUZLyYhxRCht6SEJm3OJ3ZhGi+KN6NCoLWooH9dLRkpNlPLIasLwGLGUPQbXC0uk13IGSa6pJftPXMKTKo50Oq0k1NXtHaYdUfJFN9VUZXxuMqh72ZjVRmACFIhOC2tze0uArhlF/bpfyDPNsSCeDKJiztVZCKKwWT+XMmAloE6LzzzgDHQfhATAIfV5DET5ipaoSlqNSzldgO/vTkeL78MgwkYv6ws2yOQW1FvmaDlRlCFlifng6Xw+f4QzLCgCsAa8RbWhMlFue5uCDziIRswpPFqxrVb2nYlBvo2NPvguttZGv1FBupymzykNVVky2UQD60xAgsQSGVL5DhRKIOFp1uPHOazPSGck7fK6hZS0MFXsKSuptp9Vw5qOuHZN9ZjXatx5deZRep2NWNj1ovztiDftFgpYA4liL9nVAEtZMbiqwNyWH+fLDYbk7ZzQthDxPW3ufmJCCmWQNOhymmmySmwh4Tveppy6Y6XYqOeOg35TxgHetpgzH1RmKlq3vryTsW7OqV67wRhxwuu2cXfYUAaqci5ChdHkG+VbH4U3dA9BTtVO2isiq4lIamdDLAkWy6hp6XWw1tt66XmHCj3dlguBSDJobj5CuXNNGslKHwx3SbNtlMZKlUQp+LJHJw2+nRByo9gtY94LEM7CVL4rkFTy32gsMwVKGru+9GXDUmnxfdR9kGIkqDAvGLebX5Ur4CqeAAAk3M0aFniQdCs2BOvgQ/bLcbinQMpBV49ZE55V9X3/SQy13JP4xcwax2Mxj2SEySfbSBXIgqL0E/0MjgfMebMF8qnKEN9tmSV20OmIJQl1Lx7Yfwg96nbf+uc7g7ys5EO6IDKEB9njw0S+yNSD502wmNJ/iII9oSVipeLbBLxgwz2srlSG4XSZILy8uRGB8qN9YAMuSXOt/IP18JtuJHCiCWKHoaYeX+Cm54ojogiBq38gjvwTQQi3v8vq0oR9Qm4W5EtBGWrICRt1tGMUDUN4ZBqt/zbJttrJFhvNXdIXN4Q5vgAK5NZOAp+kLuMniaOAQ8xUztcOrsrg1uqzmXgm84r684Kp+ne3yAx6HUYip/e/RcxAzN/O6LPHuOdtqDfXtpqxeZRBdlpKviN8DzMZLjm2Go++YhbzF2QVm/E8qH7+mIUfNIRIfJIqlFiMBNmfedSdW7ycdUMaYU4Bxdn6EvAjfEMldBTr2PK5hNHvbEUEQ6Cq95VbGTTua7nyTHaKI36PMdoPtNYD7OYmpLpzS/otsjsVE8Ai0wzKqanJk4nWbPLH/XW7WtT2V4dhvuCsmpkVYBg6gvRO8N6J0aINFUhTB4Pqzi16nrOqoNz4mxOTLsjv1LytASJCFtLldfb2bae/ssMelu3ci4mrwgRL0QY1p4rnEaOVpi1Mpj5xwnmGCPjK3ZrKwS38TewOr+NiJ4ggqUP1HjhHjvmTwQS2UbGuy3W7BJ8dudVAWRIfSFsmI17AjU3zDucZIgeFfzt1ohafu6OVjVhbzQpa7P2tfyQwXE5CnWMQZ6ahFSBRZy9Dxi8TgUGKMiMdTYXvutub9qGSiJxKGhL9QunSUqK1l8LTeiII4VvEnO2D5cFyvQHhBRIOB2Js+uBAkm9hDtsnDZSZJx2PaTTlfFViqVD/hdxmQRxP2w/IBbnhbnjg42RipqthhIFvPaLYBEIJiUG5/zq1YGykxpxcJNqNUJx0JB8ZOby7HxYfS2MP30scwVskoUmwq5RUM+V1lvaNc8O4PEv1bb2/A5SGX7swq9qAD2yEhU6WRwHvyc+vy+7RUSJBFjTXLVm32hL+DTmVeDPhyKlUEI1X+qudoQZ0/9f7K1v6b3gn2uM7fLU4kFmW2IHclttNNVI9lZgMVPQbwqzjGUCk2QCepbnK96/5td7ab8A6qqone83u3g7fL9y+ThpUgUTWNcXGRlOh7llnKPrtEuxVOKW6sRRWjKPhiiFDkSFrYcj4Heg++A7Xxep2oxFlecQgCqBX4KAcCQQRY7xIgGXW4cxJcQZYXZmL0rWKWDGB6pVTkHn7gVUM12NOtQPdNxh3/2988/qyYoqNnTovUKAjwYZQSLbKRr+e0+cOOIOaI0QuQcS7patFLD5oUUtlyhlgNa5sMOpwOuYxFn3uFhWsn/2mpNpQUOJ2FUgWyyIdLyKgzzvqWdjJR+nzQStX+xPAnUgHh0gj3+ktMY+7mBQR8q3drpwuybljQ+cMFvvECxH1yLAGknShbHSeW5bX3paxcYJACgRzJYE7Z4PwPdvlgh0F08ozVEccsaD7daGEXaEE3OiNO1T1V8XDvr0RTWq3ALg0lTTNcgTwqbv/D6zDCPiGcwz+E+7jVmoXczN+HAcitTDdPcCbBd1eaYI1sB3yvfzAMkQ9sjdiD+7H6wt2yn/y7sYFmdoS+5umKpahmJiTeEOUTLVkOUHc58pCwA/2oqrYqekH+Rfyt6ChoHq7/+z1uDusGenOT5ORuBZJSM9n9NmjZk7AOc5W11BRVYCkz4d/kPqrKJes/jIG6dzWnR0GJ2zEf3p7bd52gkBK63+UfNGdMvdKKM0GuzFzYscoDOgGGhEMSuEZr1cRiqI61KDhcK0CaUfPss/UcTJ0m3GT7rWvb0GVCiNxgcJFajc/w5KPCCCMlCxLY0xmh6hPPSqCD0V1qEEU1wGGBBKGALNOwHGPtLfV22oDd32pIEOgG89j5QFKQml2hoXTlQbJTDHQqoZvKRHBBBYhSSDmdTbhYUQAFjptr1faESU0LCujdh0SyUa5L+IOkiQj3YBPXhff5cNc9Ba7OX8LWft6CSFtg43MsjIAnY1LDDwMlDMK2MKLAEkpCPhvlzu3AYlKfMEesrr4naxOn4uNWOK8I/kIf5N529cjfoC55navIqvkD+1kw2VgwoF3608/zc1je6S9rS/We6y3VHzWvRtGC5NBSCwG0uS2ZfKRrT3WBgboF87fqqluATsdsLpHLCRcVRfkjV7Y1bY3mur+7dSua3os6/IOxq2DerMuF0FTjFdY525AOmbyAQjo3I7aJbRFU7UtFtqzR0cdH+ENAV4KbaT7SKVM0bzfL7JU6NurQtY9PqcEGawTtldqrrlxVFpNSwWBvchH+OGwkQSv6ld7zOTQRJEvUb0jNFUwTE3VNuWpx2GnDFfVhmRXYomfIi0EGfCKqQ2kL2HYIlzsxMrutvg2NVUg2EDC7VYtVacT/4uZvnXKsFJLMBzVk21Hux1C1ddiZ4IlHbQO6OFC6XZtOtYhkqiiWkCEAjEZmEGapKOUtWNNYaoVTfX2RxOkc6sg2ysvFCCNV7sSTEh2sRM+momTgHddk1nHF4gKdsJERK12Ma7EB8abLSmSiWoqKGTBU6klEfIXysBoIr2wuJqVcV8IrJpq8JvEVPmIM5i9pC86XJkIT+MvO+YlqGYTEuTmnGnBkoKE6ZyMf/1s395xxjtrf23LBdp94uxf3uNx0qDFbXyhv0mvvNgvJ/WpQ6+DdiWKEkyNwALodpxP7RHlJNWRTbyAREEDYh1zxG8bJqLkwwXBTISTExKRYRSXI5CsYE1qxt5cGylJq3rjORIId/L5BR1P7ZHc6lIwzQPrMBO+2rPP3r7T3cNOtz93HpcIsSNUXiuMWFNWFS3IQALrpt4eLZqqmkLaYHvGiHmIuvICTsR35UAkWtdhY/mJBTlw9o7KwzjN+XX72Ogq03pf9rcKI7FOF68RyIF1U29h92Vs4nMAwDlibaQWCcUzmtI8WmqDwYOwHlyo/K+f35lmy94zFLK2ExqWRazCnMTVsTABPPW3/p9n7v7/ImEoxB7cFCczaUC68zfNI9+TYPv/tJ544JS3gGzQCq7Gj1flOohBbkNDNSG5SHqF2EnLuQin7ftxPp8/mPc+p4OEpWIcRQDQzuVl4z+WoeRLJuLCPtHVbf0WaWihQFrYD3pFLcuzbj13nLuiyLIvFjKQ7nNtFMKQQMpoHWgHnIN2eJBDg+iG/6u1s1dvo0mydJaeB1XOzlW0xiBofKDTfSO9TvfFjdXt7NxIj7GiDEJGa25idxwUjNp83xMJSlpjPgIFUtQ/WFkRceLEicgseB+LuVa7/FbCXjj60BmszQKp56OXxmbYPLvlFZwOY9DvnMiPhXTUfV+e1Wk2Ula1H+azFUhDjYXyh7dawvg5qOZrHt+j87pjhdJE8dctcOQUEJZGLkD7JgMPpHPgRIWrrF1KxD4vz2fAzQAI+i6xmH09Ioj10PpmZTic0DBubizkYmZVVVaqGHQ+0b+Ufju+Cl6zpmBD2HrlI5L46ZereuTFs0dTvuYzyG3VJ2+wvVBfWY/QgMFKrhtO85rBP6RxBMiViTDd2OMFAW+8rhyvBMjKR9edbQTEVe8IVADXSIywOuYbyLOqqVyBsHBRxS+5rnChg9UKfet/z8OHOjc9nBWZ0CqOpadmSSyqBEjWNCy93yt7W/gkJdVXeAIrAeo22I8cyGXVNZCN3jlDf73NaMSLFfm1O9EzmalBVHnUCVnpRoOYh5iIo5m/YD37KvnAgUrQEnLCV7gcK8FYWRm4XcuqULoBXe7wygZ/LhfY8O5jIP/u7NDgQZ9jLVaRxlHdFj14t9dtRxUooPDkVxnDaCQJ3UW9D+lconbFPHG74+QG/wmVuF07yXulMlotj3wAaTf+sJE1vEBXPtch9NfLeuAF1pWiCmsYXwvpyECGUOSoNJO5jOhB+p8I1//hcnavAVNOneSdlIUsj1Tr+m0bNppEVG6H4MB77VnE2lke/Vd1VfW66Ph426bG8D56WwSvAigWgnu3J0yISnz1VIxXqi3Lo60koUCDkGMNmwkA33BPocEJjUUmZJNvBuCQavKdt/SXV4fgtJnmCciJEPzSXDRd9B7qpme8aOUMMcqIVWRYt4IG/EAsSLj5FruiN/S0Qihlkr8N2OVn/EsxBdNAx1gE5K+wgWtiaut7dlx2M16+bc8ew46SxZCq0F0L2uBAxRj8z4WWe73QVMMWKik5ZJeBIJkdLoLXCQmUuEACpqylBRh8EAMLpBW7LX9Y3mhLSH/6xaNlJB+5JjiQmFpgt6sAGa+LnRJQkjwwm48V2mCR1Bfhwtao3/yMNteyqPPMAf44HPuZl2Oe8E1Vzjk0LL7gGypU5Jv4idft24gd+4+cmJGZ0sgiryaOpEAhP1Y7o+SbBfKRjk7YSI24RsuO5OkcIekggysQF27kO6wBI0Vd2uuV/UfF6sgaOKGOoYlSGsFlL1wyv1SQSxS1AXY9AyGrMi3YzeCgT0/PmfYG9ezGwhuSkYA6ilqNxM97SvnJsPbILSEokwhojISpuM94XoidEMVtn6/FGgJ3v4lmMybSUms7swkn+3q3HAUZC236NfXRqoFXW3y72iiMIfYhmrCZFWzIj99d+YH0aoPEmvYQ3C4zTb3gezbTNrz1SHlwYWCwQ8VxioVoTphpuS8mqMB/5a/dXtmznBIvXJt6iNAK+VHah3zDbmAG3NitsKFykod0tjdYKqr3xE4dbxLiCSQcC0Hng3YEkjrDHCslFHd7DXVLI2kfZ3DD64Q81hYr4W/inmv5KZD6pSHkg3+OPH42YWOjK+fQaCW2/1YVG70On8v//fWqHnllYtCYmTzlbZUOAXQpJVb3VFuhlc9dMpJ2K/n4YHpd6k3uZRMp78LMyaFT70xwhdhpu3ab3WJJUWB2e7G3JRAHMLXb7v/COmwkPoSbKq/OqRdwvQomiBnLYAqtc4XvrX3dPLOiLyU7fYs0WPBJf5f3nYkMt/16WQ+82NsixIG3kJ7axzewju9OEqIusv9fjT5DwJ91urM/c3Zdv+jjeugJivZR5w39nwNyrB0DmVznMKFkgFh9v1c9yyDpiOYe8wwEDa5meyKGo9yr+wkTel+MH8/NFh/7/lno+dqJnojS38JnncgaMNDABt+APMCalj2PVK1nGSgy6OLWAOCEaGALKcWEbX+JaLMCaEFvlwTOHUm8CA3dAdF/9FUBLU71fo6vrLj8N6ZmL+1eL3eCRFIV6QgdsM7Q6r9ptJAmN4Gk2r5kjKYcJoWSutYZ5FBoeAXJDiy9AwKoZ2dCK/GZ+tHuTUHDvKuNyKpRgmAP6cOu/kJMYLGGMmlXn8sYjeS1YEF7PVPTOkIzv/TLPUOBIBzLBtBdwLeyEcu5GkTldth/v5csaIhBig0yIVh2Stg06jlNWm4aX8HZLPuai7qiD38zvTYI/BlJa6bDd+Fo7/EqG+m9CaK43c5YF72xxCChmzgCEmANwjpnfGAj9W6zkXmpkKFJ6+bpD6bX/jub4690o6DhnDZRB+zc4gj8RF2qMLrsugPJM9hLDIqRhDyLifTKU/nJ5fjU60YXtsXvpi+casKvnDnpP54xUWM6mtNOyHShDZZHuDHLSoYF6ixMdnq9n8FOMoWZ1iCx9Z2jdklHTODiH4VQqIsaiTfBD0Fvt8v3f3DuJex6oExBClr5B9yssKCsiaTEX8TaRNler3EaNlA0Bh/tmYt6wQlFVZgRUUKdxtrK8TTU517CwuuU9AgR9oRwAgAbJ04e8B1GN8lWIbSJo0Rk21VVvTFVi1ht1DJgV6TO+LHrzfeukmIDDkTe5lWt2sh0xP0+vcIUuBP9H38RPvxmlY1kj4kjvhBte8ZRMVUlu1R6lhL6uVA3hr7po3AZUoY1k7fB7nXpMfRc3tP98fh6oow/4KAbTWOuG3CI38XQ1uu+kaLer9d1/ysKZHpf2dqC5BNQYHEsGODW9XTFSvMVQy7pqdvoTdfpkbT08ogDiuF1HRoYz9DpdFnBmxzLMrG877Xrk4mjQHrxfCdqMZokeByrXMhQWApNH6fXQI41xJUMJvJP00LA1mc395q6oAxgN44VzqDbaaHy47kahru9EkfkcaMI+zjAZT7SMmtO0UhCis4FgQs2aCg1Xn5NsTe1//Hq/Y/OML9iIRyroM5+vESevOqbTPvGkcm1yCkL2Kj2RoMiJRI305rPgScSbWCOHyyk43a6ylntemzfKBeo864p/4LfYPQGXyAdyX0L6+bLjsJ3nmsJ3gTpWODMtfP1ViLpIVRG+By0DpMI4SwJ4vxyTnalKDxvR6RHUmgjvnAqkqx2MiPhs/Besa6/y7InUxXqrGATPrKHxYyI7yBrpTM2kHzEEfw7cfTUDeTQo5my84XJIVUlys9ph70T1SAeEQvWuR5GQX+6qIdePz4fFitJ8GQL4DW4nbPRpOKr6on4jV4cC/VLfUNR4MLyALHXmdNB7KxvyxfaYfwA3AEG4UHpRDKxwkn2FFVHPrpC6CzIK4K0FOFFLprJiRJVL6CNIKo3eW4odjb4QPcTl0pNgilo7JtfWRU/bwJq8lH53b7IoLvdKIOdicVsSxmTqZMCPYIah9v0lsRSuMBbo2cp8rkLhBId/YVAetVEy4gieF9uEG/sO7HjeU9kCPcZTSSHGQghqF6EBpORLWYjyZsKB8qC+IJNjgBedSb6ZfJseVBzYszJ3bAD6hSjQ9DLRuS7PW0U0iOG20fC10hKAl4O0ZC30vAhNKyS4A8VRP0nRte5JuBbabz/Lg8exYRFGVgNPxlKVJMJI99CEX2vl7t1pjoaRMNknhPejJVq6397n7Gr9n7lEq7IGZgjRRwwwfl7z5Z7arQ8QCyf8TnxTkWFdFRvsi8yoN6THRRMMNTYF2Z0ja3/VH3YCFfx0+tPHP0n3SP28K3EXTuuCzuwLe/p8KU1wTULiCENWonFVEL66aIeet3ykWA3VLtM1lHQjq3/DlvJgfT8UKEm+TnR9HtOFMlo5s/WWjNTneSp+F67oTeyoFZyMbMJab8Ue8tHCg02kcxD+qJIMBlGMAAngjCNxDP4PdChpyQ3+laNgZzsUBBb+HwgH4saJV9jipz/XvZe9nwG0shHsro0YtOpCOQRYni8CjE3lGQlu8zdZVHgAmTbm31lOzYn39KIvUC9IQ1m2CwIP8DH34sJk/V+R53c6iOrCMGaxcxgHWhQu/8laR4qWl3Y28RJm19eW/u+eqoTzGe2nUQ7rFRvt4Fg+fAgE5vJrWwkH9wPvqs+yrrMSwJ3BFZjKBUsOkfy7QzRqaCW2f2h0TwSGFQTz5fpzfMzPCJNQdUCKdkI8jfQW9rAJzrsXq86Q8OSyNrcw5DkDiABqtvNRhjFlBQHHA2kpcfQ8pr02lf6uU2/gS8rI+Mz5Oe9QBIa3tEbty1Th3zs8Xo/QwMWVhtJwdd+7XkQxruNrIyUGtSLdbDG8Pq8fqbU4PI6T+pX/UZBDjZUCQv9hjXESFfspJnqLkmA93q9n6ERMuTGqlAHOqUYCpLqaq2M+FX04vhc/+nbOquSUNhekYt7DcEQe3+P5UulIz3BfCQuIPfd4BvwMynu8rrtKw/YrbBV1W8lVQyF6xDEho8DGpYVBbzY5clmub5LqfjUF+VUB/zqJCxIVG99WDgWpVTWA3Je5v0OQbrtK7c42nQ7mYNzkMV9LCU0j9DASoQ5TZTjTT5b7oHex9f2suWQcjaU6nK2JqoPS0JvNmJHOiKTPf18WQ+88gQNSAOsRyUIdVW/cIrdxWolWN2YGiTSPRWov7iYk6o3JRJ72PAkdMttSevfeW/qYimDrXJ+DKhDz9wT63zGXAo8gqcqpEzjLzmGJqIqtIiLEBXK+Ug+MjqKiYP8mmc/vrJnCWg4aSMWJUmQMgAhyNKJI7F7R2AA65LN/WLwtNTkwMJmjy9wd1VcaPXth8v1q/wu5s3qxh6Qvz2DCQjm0xHGKoKIdIkhvluqcoOoMQiw3w6kqmEdRqPQAx7AauKJNWkjAolFeX6DLlWYwMdvLOslB/nyh2eoN5ODxKJiOCUsqI3PsSZNZBwlJ/Eu+40T11Rn8VRggkU15wBuNjJTWsVG2aKQHUVsjmpDFyIfuSofnIhPMiHkhZfHVT3h5BaxJG8gX1/mkIo9Xp+ayQAuZ57F0cU65R8Zq1FEQSpVEL/nkZHWnDlsY4Kcu3BIQyfcpKMeQTOPkh+SSWidXq1KnCEHV7bs+OQtnmWAqErQSFM9a1kbhdsVaaDXTXsoWGe1mhBYqfU4WqdxaLQRfsR9EZc39sJZrErtMBA24q1tc/gOceCfLuqhF88ykCbIuY1bvlkmGXIWTeKIqYbUEvSPKo4wkyiOuZDdZvaEAPSsBzKgcsq6qSLLRgQp5NsgwosPnNK118sJ9oxmYyNIdwA22/fEOWskSpqh47OOavR1ixA7HA27htppNc846abSG7XAjdVR+7JWbhP3gnfacz46vE6rEE4h3ard2ChkQeGbONfnMtTARt5gHUL+4imdJqTnjTM7pd4c0nkDhqDCJCOZ1B+h31YUBOWOyHDTgW49CrI7vp7QCvGegXSYqHQV0qqZ+hvMz31VxzfXxlxQ/6PP5/jcwTtfBZ/cuyUpyXubxI71wJ2uuxmpntvCbnJSkKSbEMJIW+0uGFpDPK39POoElZi3r85taaXXtryxX6Y78uGFuRPzzqiQQoSqJVYmslOxGzZUxeeOf1JRCN3sWIaIVzYy/muLmNHcQAYuA/4z/RbCYE5Cu+NhmOSw731Z/19L7ELuItPFRN6b626KXSq+5vHr8lRxHCOJCnUOAFhF6TPbLU+XvK7lxSD5akghTjpwQsQRl8fIDDLVgm4pEIvK28aPQb69XrFRgC4KvnFUpV4Rb4xmTg02QVMna6X+8vjX0+aUk92JM1TVCFRdGFJQLUkjFa/zY7W8H8982uGVrqVA1z+zLphqSj0rwURRiolwIUJpYN2z5nJc0CL2c2d45wtd2OvG1t1idfxlTLRllJiUXbHk3djt9QlGug4hv6pYQLzZms26zJnihHunpAxJRiAD6zJB4lDrd7ZQINX5mE4tYZyQjDRRSAM8okzEG+7odp8UF1KYE0Ne9wYooGX5i1iJOOf7s5RBGVyUTDVjTq5t5WyZC0T30jmfjEEcWzBPJFXx21jiLQ3L/YSG7ATBKGg4xbonQKG65KOITR1RRVLgjls8QxncrcPPF0jQxPYqJNVpRSMeGZYwE+uiAlnueotA/x3PVOUksQWjWDwsEDEEeHK7YncVSOpPqkGIuqzLdMTVcKjOuYndjTNNuLgLN52J4n7BPtzynX0XnmIh8lRCSRllp1c9TXXo+EQPDCHSfRKRKSlaXlyPYkYKg9eBDEUzNZPPHPXovg4MnLBzU71dTgzVrCSyGv14R2hw8lYBzeJokjyYmDJa00NaQ0m7r4MDjXs705RoUYO4WiBis1CC2DkHgCFaCXLBBfmwUB/HAzOn/Q4Gybw3gCD73yQPGWeAIlQFS0ghcBhAsrvZ61/zQA+lKRgdB/Iu55kGX387Wsz4M773XsPq0G3woDArpcudXuwr1y5TJhdshymdKNaUyiCrO0jE3XiZlhj3+JmInpKacLrly/qXV49A6Aj521VeZ5BwCywnpA03E8Xp7E3t9HLytpoTHvPGtRBA0m+CyGByiiEGk7fcyN3BXP/N5VAkHLGMBR816z/HYiA9VR9Zgd1MFHO3HR+ClM4yQio5qaU8Aoiy2XIbgl0MRkih53N3Zd6hDI7V6Yis8mWDqOK/Kcq98qJ1kiCIZBt1eQLpsN/mRM+BTEU+g3S2j0zqfLhxQsoK2k16GuCA91eKpV15cnFuwna7MqQCX2ZjlSRIlXg4nfDAPUpGK163G9h5LjGBYBIi9K/URjf6HRklpCEpaSYZ3RRVQiqNyxQTx86+8Upnol7Ae8cZsiM2wIAHFMgENQXv3YpYzyUu8n2xY36Acd3o97tgJ0eVg5mMMEv//8dqUwoNDTqEU16ZPdyub4zY4XdcesWRAQqwqbWKMJpoP6wzfECkmgpiGTFSke8h2Dl1gtdza29+d8afGFTagnU8b/SV3+Bp/EZsYD2Od4XUGUlRiWbUGCz+64Xd/Rrz3up0LGZmCt+CaBRIiSPCC2AAAa4ztYP66QkXYl54Cg/iuM7PtMnhID5dWRO1lLHcPD9AmQBMwK6bdK+JhlR8zjFkmEHIhkKkkHBdIylRZBQ2jCYf+chhBqGhHelBfr+Gex9VeKrHNxJsAnRUGWYk6pHRunn8ZcWH40EcVBksmNFubwXSiCQwoalANkODTxZjFBWAd5x7Xu3wISOkIgcV8ATX4w1boUqycuxEGbPO//Xrpd35QgvaSB4QB1ss6bNMOdLpxr4jrBLFOGXubf995tN5EU8cxXeZ3xrPM+DcltfN1Zu7ChVCGvgvs+KSoWQH6fsPV/XIy72WUU8oybAW9XQqIhBvqxaShTh5hjjKYGlncVCGDBOL38RI56pUsBfPx8fn3reVN/ksP2N/bkwM3egg7ZWQ3Gvp/Iyel/2W1OfpT5QWZDGBC7oulpeRBg5HdCqj5DoeK48xiaLurZMNygTSXAWsZmrMiQ2sS7sFR9zlVc8r5wKsktAg4f40I1IgEUBSIGq9W06sfPSEeU5Q59C6ieFoB6KoJt5YS7Cu0eSLz12caDCOgnWMJjM6v8/r9uxRPc8qaaq95RSxiR8YkIK3Y9Gh3/E7jqAaux7wOsD8aA/XhgBdFk3UwLmykYUy7jCwDn9bdjta3t4EQg1XT/CI2Zpq9dytQruLQqGGisepATUOtAzWxes64Tye+0r4b8sR6A7W4X3gXArZiTUJl1obb8269njZm4Bvq5dE4qKIFbjJ64V27r/OHA14ay7CKjA6PRDwPqynbs0vs/qr450Uq+ZSrnfAN0TSIAoy2JMSMnZ51cxJdV/xsm3JUJqaTUJpspIIJriq4AKG8hQTvC4gxkNhZQDUE+gPMZFk1X/kmhhIU/dOGNGdEAh3eWXmBJeIkdInIQOxjNKDcEBLvjXtO1wk/dhnCj79JvB7atejfwl8//EV7uOfk2MrHSlnYLnNm6LX0R7cq0BCZ4AzOPRIISFpBcDF8dKDQL7owrIgj5/ySu0bPVcIHDxCumFJUlL76v+EAoHjI8cqZ0T3xkRxyHm/IpZ95dA5NV06kziedUXy0Y0wiHV1GTmlFhP5syil4xzpYbxSKPZ0cKLmTYa9sJKCb/xuVa9zNbydXrybjTQRS0ASEhGyroiqY+YkPAlHCXaLuz2vko6i1hkHnW3jdbMP3+KYNwDeAXawrmwET0/nvxIbJ0/uiQzJgbobvs61a6LKR2LdVU2VgkFUyOTgCq3jkhwM8oMm7HllMxUq8RGPgwW2VEiFC9TjMotAHUG5Mgnxy5Xd+7rNezMCd9Uf2N+Oyw2JzqgqTTW0AWzAa0ZjorLRYe2+1k225Cm+63nZxua2ltooKclKi/AUGhS2Jhueu7w+BefUT+NvV6hDTCR3CPdOQb4KeTpcGDeNiWk0Jq6odbMnVPXrO7xcgBssUYvKmho5FqipdIQbIxJPO/XE1ILsGUkVhvOFMkgpVYOEb6d/0v+vqSArWMZoEgWodVDvK5XRtX03G4kigHUtiLAl6rDU8DsmB/aiqir5jngLDDicGB4bhS+4OH7RL1Wnu00FaR7O9faSuiO9esIthf3CZr40qjGGYJeMZCpYpVTldxTHu2ZYOQP3M8I3YlB6E3A8SiKuYamowvNIRf78xP2n7TorXDOR8YJBFfJ5e56u43x0G04nysOp3tfD/xjq7OMvsS78x09r9PC4jUTELy02I3ynV5672hS951vB15gEaNj4gNfN8yuN/ySk9Mu1UQIp+ShuJ03MHdjhJdYV/4m2Zb6dcmFqjshZGSNOYzWqCUtBZMAyLkhtC2lL8GQAp/+BPb6Aw7ted41YF/gWZFaqst3iyKoofVh8PJslCuekqChdW8ZUC77jK9mis3rSaEuK7TZ7ueB+mPsI1NHjq11i+WxqnKQDOFWFZV/dspeRcn4dgACOUWkKb6I4gGcaoq9C+eZMWv2qI9V8MLf66Bxv8BGc/s6yyWkT7ymrC/G+uZ2uZ19NpwP3MPFOJZ817EULoQWZjtKciI0mQ6p6E0rfRVlJiM8Som/AgzefcGPmhDNbtumt/1TdyVmnDgdCn3GeAZdLIEHrlr32W3J+HVhGZ08nR9OIpkZmYiFaS+FETEhNbkS3c/+JeRM/rtA6uOzFHh8PEmt56C0pSTEakCYx8GksxfE4YYBNp7u83FcuTVAl1kTGESXfpKMJx4aQmbZ4nRF9IfFzRqfpiDODeOoERu13oldHVOXJsDLv2IhUCmXwb/BYrDrvNiAt1qk1kWolC7fOBFQVvqAWBA8QxEUmQa4dF9YiCSLHzl8mdGKrA4jnYHVct14XG3UXiFoWv7OgDerv8so+PgXhAjyiiBqdDX0D6nJHEX8HzjEF1HiE5cr8o6LJvL5sHACJXtf//wu8235YzaMN+OYjdbnYAM6YdvdCb/kpdQz00YgC6AykBBSLc1VLpAbkLbNtsy3emH90fubCJhCGo9VUwWK6uAwT5FsNXocxKMuJo+A392en9bR63kRKvUhAmw9c2fAZ2kgAAj+TjTRR6aqE0ZNP371pxLYsV4+wy/byi7gQzjACyfSAkYwjw8gvux0TW/sm0mkJAWfA1DwLmmMvpUeWUxpD3dj2/MruvXe1zvMyznAaUK6T8IVsYH5lAcPppN7cv3onNQuO0f712u57ZZY4EZZ9mi8AAEXaSURBVFQE3ICCm4FK1EYpxwdptSnGd4fQYapvw0KZhXb/IgjC0Vs1FKSTFXqDARZIcnIWxRuadXd5ZZY42Uh9KzJKsAIJxIhJ73TUsFAI5wO5ntae4nQc68S+RPfZr4AeFyw2xO3eSYPlKpVKQZ0V8bbTII2zxKVrcUubMSQDmtMrBxX4uRuNmArWCeBQhn53X6ULG9uqvMCVf3flGVVXhXwufPAFvqioTqYEglEB3Qp4n2OQ3vtHkFQFBk2FifhQbCXHr5AGi2wy06AM3mI5EOzstf/DN/5VB4YTtpig4LxISJOwIHxWVR4OVF3Qw/rvP1/ana/RP6KFFLEBZlqbQOANPgWRKkkVqF+331+AOpGOfmJjF3rl/T9cDwAnpblCE9fef3lLSC4zi0ly44Z4DusOr+ofQRg0iKlIU7G4K11z/wRevqgyFK8jusBbU5Fg14krObmxZQCOt1wwjKZoIxslIWF0xbJaVqBypyK2uDefJQilOuIWsy7muUhHsRHfvjShmeO2gIf3lmX7MtP+v5IQtucLuZu+y8hHiSJH/01IN50BSrjwMJFdXsW95XDYqkiDSZ9AqtMZ8DtGGy2QSLcs6huGygOzUsGSkrzC/j95PiwPC6pwsYmUBEscYSOcURsRlZztsA9tyJlORNEyCB68zgAikChfw4OgXxmy4zL6d3+mrOHJR82Ub47tKanblQA8NTaJoVJYw1rKgnas6aqN1hFL3CL+/z67fLN7lMkgY0fqjc0cO5Hb4W+W5alkGUHJZRwAaxt8zgbJY46ECS3YqZOgDT+6pFVO/jQXEUnkI1ULna4j35Wv0z7diWJB+LtlrPTAlFS2wd9kAbge+FX4lHSUAsfLZQsFN17/uTLTzgFR1YcdUlBYEN/KJps2gi3aIfz12u575exoYidkIUzOlCTjpsaBOWgj0MnxR/BuZSQasSTI0OujN+b+ZAzkpLO6al+Kix5SkEZKNQmjMFsbRh0Z9qGqyUek0Qldvn5B24iAEpGmMAcQISU5IyUAgTL+cwo+Po7dMmfaDPjdaSWG1HwskkQ6I0nRB37YYBMs90IY8a57vPIs7NDuSEL8gg/rVswTLqfjsxTyq95y/Mot5sTEWtBr6zWfV9b97tsBXZXGXvVh5+Qkqy8ZhjqDPoyWL/fY46XuDcoFjkxHCnj8Egky+ZWCgggr5dtQav8EfqdxHoi61hv0Uxs9WcNzcHhYHdATG1FHYCHsVzEJmu/VQIrunbYeFur3MgIeo0pyBuH7IF2Qs4J3/ACwGwf+8zZcKt1/5rYOJMte/IE1FzjD7H5Y7CPacY8K6GJsy6N5r4cTi3WlNVgdhShAHGaMxPJkPmpblHx+QdGigh31HmHwtPa3+Kc7aHkE0nZlGwm8zogRv0EFKySUBbKvBrI8kkzs8WLPcow0NCGZOGjXUu0Jc1Ig44caFr4KZSCzSoJ4p3X650yreXZAo9M6CpN0YSsfsRRMdM1qKKIqxSaO9qn52LMMbicDwU3THgfz3CQrOFQgVUGBzjCvLxdWcvTXvBNbdtzXsrKB8XO78LYgychHRYKca6kKNtA9hO99qKq8Tt9qzPIoMSw8KcIBY/sTrrECyfvqdXSKajpy94QU6MxfHWd2DEydKSyYHnXc5VCTZ1HayTXwNqJCxZGnZz/8ynMtYUIxUzMjuQxWA1kFtWuiwWxklXQtypATLYXjE5fIBKEjna/QwpSwfJIiho0SQ5aw4RwVR7Kmh1/jDHZ7l1YWWGeNsAAUiO6EkF+j1EXSR/Sm9S8D4sXRt0j8TKPxmIkeU+nuxfUKFzbmjW4KP3cBsQx61HYZJ3YnyJwpEyBoouETGcgdb/A8Zhq1VXCu/O6I6N1OwHNCmiMNbMl6mBPjGb51cbuUSPjcXBVfpddUJoPEPv5yJ8gmW2CfWCo/0UDTUdeikapzEEhxPsjCnONnbgIOR2Af+UeI3tNnHNMm7Njh24p8s66pFpX7oxPslpCsyuHZ0rpUfjWiyhJnGR5Z1e9/HSi+skOeZXkIdgo+NvS99tUwJTB/t8zC71zWjdhJV1d1E5Mb5r4lpF1Yg3EEwFkX8Q1pgmkaXD6FnvHEeuhTcBEUfQkjDumd6fgxzLCeoOZMRjN5Ql8DxLFt2VhbViVhYBpc5q2hNdJOomqe6JS+BN8Ywp09fNxiWP9GWiIXsZ7kJK7gBAL/KN+gqJrPkPrn1435Mpldxjp9Z7GbBQClVloJS6n3PuDtTpCD2IqdLIlYG6GAWciooAKl7IqgPTsHMHO+2wjqej33f7OdQcy+dExEOkq9kJs/sJu2BzaSgmAmx6pZ605YlymTtPksiSgtTCb+HrqgUkKZZlWOm6jTzUPqDka9ZkMLo9IcB8L7wuoCdP6L2MiyC4lJLrVyryBW+3CgcO+EknTIitlq3I7JTH464GikSpAdnCU/AgIrZ9vC6ryYk8sEDPuteY78slwG35EGjfwKDBiPCSUcT/69D9aFLYBlFUxK+nBvEztfAEBgDneTdivUU56necT7bP5SKcjK5FW3c69OSAMQms8kPhCU/OpiKI4DGo+/rPj4jMxAMFERGU/2kLnVFnF8804jAk/NrVQW4qOYAOu6ka60ziYeoIiNvAl8spJWaCe1BxtMRrB53pWl/np197yy/wjxxGAiw4IPxpMFEjU25qn5QUZ+9JcXAFndrl6nHkc9yxJsFyzjcTSQDk1kyXdjqoSRIRTyjYn52IV858QJ7iXBlF+RPSB1+VnzWEWkjOan7opPr7rb0Iil3u1MPmMmiBLW8Qx5na63FdExzbEePFJzz/yvKx97uF09U154w8H1O8UtGSdCA9+/hvKBZgzU/ZF6TxbeojKwg/RIkYP/0ORCGIEsJJJ0OSG6XzVLMCxjKdOCdqKV9Ojr9kz5+FjwwY1iVSLhgqQPki/5iO4RqBb98ElgcNMBZmqwOe7EEZbRvXRyHE2gc2owTueIAavB42bZ75XZ2+X//np5d7zUGbhrCaPggxQoJZIbFu2TC8y37tHC1a/dUnpckzJ4OAN3Gqcjhrgh5XP8PrSuYHQgnTwEoZjBjj3gW50Bx0oYVfCgnATv5NzWEWRa7aI5uPjqieXjX7sFX4gjZKojYcmz61opDX4YRRhLnOb+1LthNG20TxxBTyOrTtRECSKLCGnChB8pCKUtkc85EnEUYF/zt3VjLwulBwMfqBa0hEhwSDGVjES66GaJo/rURmFLD77UGawiAnMmWTdRYCN5HVCH+ri6qHxqoxU3KRMd2EcFb/WA5uWNCXY8OYIqiea9gRSfxu+yHqtjzbeL1/Ft3VRurITV2TfCRta03E6F46vO72c7vgFyLy4IXzHfMlDm6N0TFTGPnCAt1cig+F1oR3YVAX0zmDdvsE+B1LGO3BrI1sey0Q7oQxUCsPCR6EFw7XzOX72YN7wuvOEMgs/J1Z1FG0fQumTYiiFwjtQMr7spkLknLHaPiYZPUNIar9P3rM2n0lWDdgxuWZArcuTzWZXheHsKgQfscLSTVP3IPcE8BH99FgfCExJKpZRxO1DESLG72EgNXynI+pyVZSWmoqDdBFG1qLB65fMNAb9zBL7yspt0AsM6aPXwUsS3La0AibHewcHmjYzP9+J9SdV7IJ02KqAbOrGd5IazYSbRDjULPAjg0ZN7jr941ITvc+LLGf2YfaSns49f58lbZDteVvwyAwASeMDpzAQTqklQcIfXp8gl1H30W4ipFZ/oq8PhUsVGOLHdslojRWmcs8vAD37HbB1IuHFsohUVIBcAwFA3amdlXpxBv6QRAn/dhakm+kvVQuuw4+K3JCXp9yQmV4Jo4311Z0HtMpDXoeg373V/o+6ChB8jTrlgd7yJDoIdLs5titdRlfNnjWP8Hn+NGrZsNEmMLzAZLCeng6VGLA4q6GkuwKN1Woqjt4a+5VQw8UTUoW6NfW+S0GDdhBc4AlLZdRHsSH57PHaiatgIqRrlpjOQV0ECt1KxliqNoAweOcqWAqFqdm6wPWMH9Lr5lZtzkXcPSZUfw0gWxyKghgVG/fNdoKFqWNYBPqijQH9wHm7iAastspYrqf3qPIPjQNzzG95irS1VwaV9BuoQj5gmGOBtMYGNGAmZLVjzd5RcqlvzXl5HgbQW7QaQMtOJxKWxVhmYlHuuqq9b4R+sJQN2foB605fk3w7sF06P3pgPJTPBfrlXsQRNtmYbVrhDtCSyLnz8cnX3vDzZkkImqWiDHUxyTaZqMBbymnmJOb9ZSRffFBqkDNAeJpwymIY2Or05zQrWyVJpTcjxE0eYJ/Kjb2KKgwZNu+x8G8hAFyFFn0KkMeTeAmDCbgMKEGke8P7TRbgOZbBcZTWdkBN4V9IUrnrbmMjFb5FOhpXy3gUNuK8m2mMu/1OVEWpABFLqI4lCmklLJFUCuOrXRn+v/995zlG3Yl9TMiaJoW15Gg1H+90GGvxuw0h8cg9ZD+880UbjYwcaxLx3FbAVSBiK1YB2wByrq16wwQT6FWVIe6KgLnvF+sVdlmecF/ukNMplpoDVSJVfQUtsTd8689F7gN0nk5CiavHuKeecKDQwguJekLgRq4EHGcD98t+EOpfk5uVc27TyQKe0NLgPwbqwoJgovQnVSeyE9G8+atb6D74+YaKIqsW7Rag0lSVFHvABax36Fg7HzoIxLaiV2PnmYxMZ4uBxfEwFzSipElUNVVGEzoCRcEltdOu20AF4+JXZrQyoWr+yiEiNkerGmHemDzIEMB8hl9kiH7d7OWeHmGoRYh0CJG+oKGclUdnIYoX05gdvupndko/24Aw3kcEsG4krY7eObAlKDbEOjozLSV6+sAzTUd5mO19gEPgcDVm3VGFrJMi0+Iox3NBOVmcwURbFQrv0xG6zW0wcjPpVaiqTkwqtNMfcACJN7YB3BPJqG58fz5dp/kxIaDvO9+Z+rGTXkhoC4BBWKg4SuhHGf25ptvCxB3rDglhEqqMYiY0CZHzqZySGfF35M9H7cEbn0kb9LQAqanKUF0V/oI4ZD6g3s6pqW7LgsagQqQSlrQ54EJRhhxJpzG6Fr2Ikf1tsFe/DRmw9gN4EvVfGN7m3wToM49ETZ3REks5XVy71rla5fUusgMtRF9qcMJIAvVUkpGX1eCBldkuMK6FuIz1RFLj5IzZirpF76Vhnc28y5vnXNpCBVMsuyw0OdGSGGGwgH+FZSUnEUIqGYF1YnWm2xHKy8c+Xd8dLpgrGVUlRk1zZysIwHfmJEkPZgdu6Zid59xkUrmC3GZZc4hFD/c8QHw9XSVNkb26WZTkfUvmpVsNilR+X7nY7KN8y1cEVQAg4At7nScmskIFbNSHcxMmgmXpvK+1bK/l8HaWGBnq/kl2NJGbYtRB18o2qamiylf9Z9QUTTWouj75io7EP20xrcrWc0CYwocU6b7GimDjJiUyyPgUZsJGUwYdO9Bh5xsZs8iVG6I5VQroZid9nObwDa01/14eQPfqKjVLyOdU06yAl26k3yCNChLityA3vm8PyLs8Q1PRa+j96w93QMD1XPlGE1lPaiVCtHBO3w22zx7ff1D1sdDFUYKoQIRxtqqct8+EspzJD6AK1K7sjGtPRhhDvwgN8qzpaPDu6k06JXZJryDfzddiIhgxmw1TyIMZjg4Mgz6MvT6nC2dOxjKkYuGrvut1CPiq6YGJ8esW5uMdlpWfmIVkeId6jbHOAywtlJ1/pj2Uj/yfInvVYSyBtBe4eftV5quHdrEcxqEwk3JGQJODAwgKOta/MombfRN6Fx4hRInXEmi4vvCNzkCx5I4+24HLZSHFrk9cFwrkvtI861O2Rj/Q1sY1bilqt+E0JiqNBvoeJbJx3Mz2jS9Q2viZcAX4v9m3Be0pZBVUspG7PZ/UmTBD8LqIKb4A1B37/en0ff+U8VbDgIshNaYLh7I6j2Y/wI0OdMLsTGjdGyfdfOXmr//YL0zDdBiGqhJFzTtmDPVp8ARo4AzhqLsDwZtdeTu2CDAMTMjNIdPoLAgl/w0AINepBTAmvTq2ThGxPiA6k2hy3DCVodvgQLyJvAXQwu0pIFCxig9htLLU0J1jUL9f38ddtniH6Ahoo+JoGBb0xQ4hSjjCKDHqcGBFuZxkLyxDmei2Runo9g3QAeUbs3FseElR2kqhGT8qnLMi/3YEFYSJIwzutg+jZ00shYZmDsRx9BBrmL26TOH0ZrM6Tt07GxrIeXtaMqiJAUlFoyXQt9QHWxB0iAbMeqIhCA12Nx0nDmCVmXRG+RxepxDpqJO6n16b3p4qo4HFRabokuubrmwcgqV7Ybqlxb5BBpyMBYcrgXPAzQgPu/rDbebLlTDoS5AimYhE+sRcQx1x6oD/133KozrT+DzuxLorndJJYqXDWE/wMzQSmCsHVSNCgIg0LHpfyaI7MgIXg42TZHWw0LEMuMpAaggmZaOPyWSfrSWDx3V8oLS7zv95M5F6+DoAuxScYYCP4Ar4FzNU0cSUkwQctHxMZTIxRJSNRrD/2Gk8lPjjZIkg0BBPYgogh3Cmf4BdUcuwYD4YbB3zNGHHzZp+aOp+nTeB88qCrpVEFET5XbUuijCQEEcTEy/YwbRjoDWEIwRuolwlpbRQRf+hbT9ilrTSMxg1F22pJ/LjXXKyOOj08iJyXBeFbcpIf0xGpuf9F/+/ug37oNdBbcxQJH6oqsCAFWvDFxNLKmXWSuDz4KEm22+hfW24zYxaokOZqfEoLwRIGraPYamnxGUdodZrNtBcN8IFXnVKFUeYhqlrQIt2XjWbIsVWnot0Rg4FtLogvoJ5p2EJhJYgOTk+S3gbc3aLI7r8qhjbyTqwQCYDh8XniOqVqssa7KgYhApn7NU7RVNwNNO839fS3ogzYx1UBdds3AKwbspey/f/Bgzbq+wHTA+zAaADcP8NG2NFOLKu9HnbwOgQAq2j9L4rD7HSQxjH3OsKOn7CK53QolqLegbrZPdmUR5x7iwyGz5USdDt8y6sGYIibwLfbOJcUE/0KHn/mW50DSRZSxEdoQHkKZ2ANmAn7sFCMtryp3aRPLjhk5xsFBezoyE9YmXpiBmR+GAuyPLqAbVG3cNsQXG0ndDz4qp0g+LUivmFkstVGKfvCiEgfPZBOCR4OtRQaKGab0jA1k08zYNcSNmY0KO41kNvyiEBCp4k/amdm90QNHzz00Cs7QbIetVvCKPP4eIXO53BaJuv6InpWtwPMuQXBOmn1d282+8mZvHWbGNJWwoXvVHGkKS4aymw2a/EIXJSJAc8HXtkJwnoMozA8SnE4BPEia5iriUSgP4sSyzEHDGKuCV0f1dsI96kgNl3pvCft8J3UvXE7MgEWsqrHRuGp9PhY0s/X9/EX3JtKxm6lxCA2i1aH8cIa0EibIzyc19Iv2Z0geQ/HiLMxpG0vbAeW1f2YYBfWV27XHQwLCd+By3Rbqoh91O3GqfIqkPYi1IKShCZLclPlNRXFxoGpBlL95KqYDgIdDuCYBy1bxuJz2SdGeBbWGS6TA3aKJ/K6NYNO7PB5GBvg3tUJk3rJv1VTKfA8NtrBE+Z89L51+WIAZS9V48vzCoPwmvJkHaDBYKOIrdaE4YbTiTlaqWiqfQmxbkKCfNxGboxIuTcOMVBmUBjtFoySTTBx9RPnImoj8ml43Vv/BVPEDdA6Z9ZpKhNZlca93vMR/0RRKxnJ3wcLOXLj5wv88GvsP8o6yvvShyXXZjBNl+NPqPiecatCAQHcBPtEp46LOf3XjFbukUEqQWtmbwf59uJXwsqoLd6QxuXBQ0sffN1mtzRS9cq5wxnViAREqYHBSEcd2ITb6UbrTLDP1H8czXCiv4zCwnYqheLiCzfSQE62EZp8xH3AC/stokvy8ENIR4a9JJxCGWBkzW3mwFUU7xhpbn85x1U8LEhosLoQGfrq5v+AAzHNxkBbjt4ylLj0BBKAYzcwa6JKhKoCdCz5UWJX50BOqsNQf2GCX1MO4BlT2hJoIl7COaIdhwWxhm5Gn6/Dm23MgQt1VBNUqa0sNAxkIG3hdFWWD6grj3yY2NU5kLg2AGe2IFqCcXzXDZyD3dksl/L0MHnmG2sme3vza/Cq2woVqCdoxC1DP8p3uxEhEcFGMzfIzw2+wbaYPdotnwbppm2psxFIHjMoXsG4LQIJKdD7zMBgX8P3ZJLUODID2qnrZ+kTnX9rYZBGzvCTzqDw43KzJoojwsiDZR/2ukEY1LcUHKTZxChhldoPS1GT9zB7edNLTmvIDeD7OvbF0vd7a5wk5r4Re7dV8rGwWpMxhFm8I7krVPNi1OMn0vgEjUC2IaQSlDVhFKiKQ4AguELDkw3xnF0XrOOplqHMk/HEPBpqkbhACKkGrSPF8r2wUop2CFVKvhIpdkDvK4CaWRqNZK3EmtJCZ2y7RTKBF52+hSuzT6eJdX+E0T2JwJC2/zKMLp5FZrO81KCh15mPFCQL6qyLZcpE7LItD9blYJ1DWoRkmPegdoCsM8EALmwZtPh20fXnV3iZGfIrxrrSUEZlWL83j49kLmizWZ7mxGJlFBZECgdDRxgN3VusezjFUsOCTC4EjJDaEQO2kiQM8m8Tk7P3zDzWtnLW9Bs2Sjpq3ncsdaE9QRKNNWB4ZaJNli/ZKhsRiv5FTxY7bC73xIlSuMYMZFUSjYS3kpdM8DhgjxMOa+x/9czZGYa1chSHJToKc8SLGF43IbkN289py0ADZqg+W61Hh0ap6X/PuXyPUlVPnHAyIwNPUYIcorH+U05VEJI3zJ6UsQoMgSmAa+6+xgKnIZtgXu6FeFioeC3shtCmhY70yLKoneWJSMvoYA+9cg6k5DtVBREkms9uOJLfIQPMUYiRETrX4RSxKY4WGb+i4YhLOsSOlg7JGLxu2irBxlCg3ZBOdLv8DWj0YELKOZAuIVWFxZFf6gd/a+/SBZ4wSa/MXu0mYCUyU7OEJQWFMqxuEOvRudKhGCXSyEey1YHdwjfvVRYMpX/glXMgk1XHRkvYHVCO92wZOnG4Dnc/fnUZZtR8b/e3cF+pfI6I14MyTFXAZub7ht8YRKFhxBEUwoqcTPbw3on0+Jh9Iw+he6uuYh/AODaiPCCYlvZ0PnhahA+6BaU8fislknvkX2Fph/SWN1cl/v1wvrf5CBMF/12WwjfZQvh47JU9y7gvkBfd+xBDSb2ZmSEviXd420q+zZ5/I6BxgHQ0yG5CngLpSWLRvaGKwYUmtQuAR8nX7/gkEVJNkF75Fw/HUbgkrme7Hx+7qUGIjwqSYh0rMJg71NmJxfGeOSefEok/4XmxOKiLio1Kx/fWhzNA8c2jmA+om6H8qkELDYwH54nTP3I5YXP42E0NCncgX0YUarQk4eGnq1pBv64DNjKRNdthJjEWBdRbUCSWAFSWJQP2e7XIDL4LG0cgdghTj8ZRFFUjKO0jvzl1nvKCqyS5Gkg9fmR58/OXJEYnT3S9plRwXpFTaT4iZ/IgPOgC8N2i10mE+MfcolqPp3EAhRzlt00PErva4ZsI8svG6HAjGSG/YSOTK86xaBv8za5y8wtH9w5H4THEHunEOCu5GkiTHfAacSSDpMkWH6ZGDvfG3elpPPQyH03pwOYLtBSzRA5iPZZ74NFF2yyc51RIl00tNmL7Rc2gOOMj0R8v2Dt1HUCX9Uh3hIaM68VMlWFxzEcVu08wldBtOIM/URppoxR8GAzfh9xxRh3ZKRvl/cLCWCFNE8Rv4igH4BHnakF0LYfsTXolnPyfgzRcaqBwQlV9cOzkkyGUaiLzdZoJ7g1NoQ4HK2xKrKgLXAUScUzUg+c/5swFIT/QzEVhYe523WA5akF8kPLKROTqTfv4NrSl7Dk1mMbDjxr8ZAhtxYTISxMbh4wjV0L/iFlnTKRtriGq3FxuM7iL5yHwrJ4kFuzusJAH0sjrFESSYbWTQFI+x5wqYaRswnaLxwbzPzlMN3kO3wIQ0PiRuaoGoRi4T4cO16RtOv10bAtStLbs/n+Vd6d6gnuDC9Cq7rLR67SQa+EHoxLRg/Q52/DsA7l4yremv//1SV662Q+DGojewJ2ke7LamVE6ZmOJIoJM+42RVNDXA3HSsccMZ7IrfueEBlku7Lt/AA+uB1wwIwysq1xmPmKq+lH0NhdgbtVORSGrcBt8DnLVREP//qgLVAIM3XIv7Uk0tPxGsOcwmsZ1ZUOVwL3RiZWWJCOp9GmhAIscnsXYR3vQQrIg50wsjHQ+VTqdD8FgY4iYVcEaVpTU/vOlhjRwO4llniRWh9GYi5zQYICr8hEuVxnJ5gV/FGiAd8d8dls6G3yM2FnDim3aw5pPtGs5Y4LWEbBHj6vb5qJl/nQTVPPURI5z6m6z/nGFSZC6OAtYVqdv+Srqbc7RQgV3s6RhZKOODo9iXZIQZgrEyfAc6mFhIJ79o42VPSF2M3vgKJ017InEim0oetYz6+F/4EBUsMlEfmZBAemQhsSQpIEsxt/09LyorNz/+kQYUW1WSsKTCZtyveznSxuyh9IX3L7Ds0U4uD1maXhtHfiIBfbD5LAgy/JqTrC2JFgTkvVEpYDQOmx0PXCDH3sx7+39dHOLxG6FPxtENvlc0wUTzUQEzCHDxAaSI0GBh8i/UAXVuolEu6lNcNm3ei+ep5mKAxml2kioOzw2GwRTrVGGJYP5bZwuCDWDT9rjk/x7ZhO/cN+EqxLlKGgl0B6NVi0+6MK7iRTQYiPro1mNrABmGuMM/K8DGfeBF0w10G27RTEIi5GLUhiNOOp3/xhNy45LjlnRRKMmhztgHPWxzI6PiaCZstglIQw2Q+mWj7gZsZHoPR5ZeOcrCqSJIMK3eomlX1Q70Ms+Uv/jM/QBBvHVTj8JVqYaIGd7C8kS5EIKugJcC1cuQhQPMlwi5Vc+8uYkjmz/P0hVc+YtQnpaYshsVHym2yIRwgSI/pevuvz6ssXpGt1YvkgYeHA0Nxt0sHuEyOAhVapbpCT/lbAAv08+4o5waywzbABcHiJ2ow+LnousNVf8REPh5iqoJj19c0CVJ3RileF/nvFNLXHbgfQ+XifpDvkOzGklWJ2FvrfFwgtFyr860Cr49So/8qpJp+Y9SgNJJJdsU1wjL0g9e51Hpwe+SjdPE6UzMQZfjKfNkm+7IqoS5Ew0RLBTy8dK1vkUSN6eCEFpLfd/ce1fH8M68nQ6YaOBhI9FE1JmaDRlA3hnxPwLZ1BlQqizhe6Fnp8BaehhtMHu5IFmJApza3IEO/cfETAhCAV0fHILJBM9v8JxH3pl5iSfAW2Iqj5HvwCusBAVOEeHMtAvM0FRc/PARL8sVLAwB8gTexNW+cfIR+F0SUnwVlugFY66aRQ73v+xyc7MnPhpHhcGwsOplWIjjEVuqTR0ZLybq6zD0VIjrVSwRDzkaaIRe4MFy9hWUBclLMVJ4Nubo/1ARxLvI6/3M2+JIBU60IHEhHVoWZqawGmO1EHatYItjOhv4a4DFclX5USBX8MecM1qTpD2TEcEEW7NaoINVMcHh2jA3PnBvRNiHfkoEQQKcJfSQIqR+Ao2cB6EskkqWKzF1FaGMzDBiVhwH5GdIDJSuzUnygzY6jbMEKzD7QwtfvRlrZ5DdPdrPP9IKUj3g0BE6iaUnM6EDHUjPQER3UicPOokJuO2o0/O68yNAYtttjihWc2JykZhdZAewEK8xNIbqgsEHHikn/G/f7jCj77q+UdFvZ2oCYeYLcso71C/upHWl7+D5f3mH4kAo51fNeeCcJtsLGfqNvMZ1EckHmLuRhm8bYYs/1f7SPSACxou8dRfrvIjrzwFEowrzsBa9BdS6hCDCHYqVVPIgSJPpJut97xY/sGryUiZOKyO9nRN0WGtwjqkWrISfxjo9keWS3OeduD9L/fDYiY8DQxvFumCXVpBkAY+OtSRkxTtQAigAKyY29cIqvBUmDf3mlZ5Dyb1FvzNWBqEIRPfA13sTbFnmb+PYPdQw8WZE7Eh6QibDLBrivm3VvmfeVoTQg9cjhVW34gHLQ8SNONwoJyxyWNBIEE/dFuSlMhbxlEQE5y4KgZt5DNh5O5XsE6dxBqCbBTuvcC6qXLCGsj9LGJjU4uR08aQXSHD88Uiydbj1YcNrZulKgkm+VXHuoCIiaOBdapbEezUwR7COhwsiglUhV4iRkPn4k5K7GANfH1zczn1XrXJX2ic8xwQP47f8agNHu2+RGVz+hM2WwwUHc/OU+IorAEmX7NobIrZSi2785X5OsAua5mANrU6NGzzERlpsvsjaM8n5HC8n+cldrxQaeAe/0dk/H75aFQbtH1CgpQE8OOWZFfYnZBhhlUN4mEG1F7uK/vlKj/yyo4qenmp/DZbCokldUiyK0bjNAbua0+/37gYkg1p9vbAW6EQARJBWcJp+CUfJZKCdcSKzA4bGUbiN6BBTyxNmPtfeWYiV53PfpeJ6UgMRezsxixnG0NcsbtaCCvpwnjgLf09QyI0ZwH9aa7hWdh9LMc+rGXGsJEDJ6ZYpCgF/p8v8kOvcAZ9xc/ZDIhVsmUUFm0n9vIS0G4raoMh0H4TZevUIB7aspFZUIdNrTntrZQtYdxAogFyADa00QoNkd2CG920+On6ADSEM1iXayNSkIzOWy3kuUFRxi2t+xfafLm5TkjLvA+cka98Qsp3l3x4w+1+6wteNHEkOGgjF0UWS6biRIvHZoM+FVG9INaENxA6sgXQzpjAcDUR1OY/fJcTcXNPbGppfEEJOrOwRt8hh70AWnZbZN5NYAj59ja5GNcFDIndCSTg7hEbFXhTGBVvqPaeA+uigr2XnkjVEHh6Zciyj9cZe/7X+Tl33pnObps6z6m9V0htgF0aE9YlMZIlCOHM6XAdJB+z0VC3qlOOx6nEk4uiB0EaumNM38RudWEz7cqZTvw+cVSb/xWCFgcAVCDfOUNwgQsPM+XNMJJtAdp7rrhjd7fRAzTopm5Vp9zyCLtYFYFyJEsg74k8zzUyXGtEa6L62iQHqiD4qwMAVsfoj2BNE+yEaBbDekK9CZ3tJqr2v6egeAC+PxGwotzNRtYT5iK+8q3Jui9nir5upeMXWAFmUQ/wLEji2qm0GYpjSsrQSc2oKme1gB0ONcsaRBcTUkgdlGGhRF8uD8VRgE5eZyGx8RMXpo0a56TBVudXlbXFStZLyfl1FEWNuD6+QhwYRSPGPWMQycA4SmDE88xHcLohY2JuYon/DUwtCvt3vzwbTROFMljIkioAvew9EhmyIYJsqMirfmcEjbEtBCGZEf+GmkCRCTElNMhV+TnzDtykrMfdgUwZRgsCULdHHhWbPctAXQyFpqrDwX6Sm2Az03z8G0R8pjl+EALamueVi+Tz+kcYA1sW6VeOcgKZcYiq/DJrsoR9DyS5ujYyk2Ai0eLOV+1ZJoUnkHJ+BnDAL1UbrMuXI5pdkDp5UZvR5b/ZCPRGhFFTVWbwnCquHNYQWAC/Zd5Wt74RkB2gY8DDyLr/NfYs3wIp52cId2whNYgIIx6o5RV47p6/OuBwDt726+G4IK+ZyNZGNCjG9iMcNcRuGhVsmAhvhEE00eyGWEa+fNf7Xu9K/ggkvho8KSSo9bQc/CYbI3S7GYHPLIu1Zo8LIhbIVFQ53hM4Q7S6sAZ5UPJRxRdvRAnhUvlrVdXW/uuX6/z9rx+U/Fs4sRTqJWU6p6Pb4ZnuKvDUvrAYci5PQGrU6HodyjGdQofR2fIGPsAZijEAGqRXLp58RC4opANErfiU/5Eolu37rxf6u1858/bWXslsg/yH8NEy/slJFb//6vTNaqZDrcwbp8+Hv0PpJ/Jm+loXZE2huRElrgdb2FoGHkS6pFdYxERRBe72u/CPn67yI6+ceSuq3dCOMHbE2T3vqfc8LBX9+3njKxEt82YTKS9blwebLR24TZV9OZHrAG8loZiI4oW7RShiI2Ql8l+DAuEZDyKDN0U6Z1oaqp2xpDCErab5s6mjp0y6YeUr9CqUPPr75BRI4kPh22x0mSBN0VQLGkAHyCI3pLKRnwENYuwSYnd/iq0zNKBzxlF1+kxJCEMNGRLrfCFKDuufKNB0/56hgDVWcvHJDMTQhSU6FcSauCnWdbyG11mWM2Gny7IsxvxzO7gXq4F0Pw2qfCSdkz1UQrJIknaDdHN7ltN1z6LBn5k4Sz3bloQzA2lGmJO3gwXNJFipHXRIEyVgXI3rgTl5U4AGeF1Hm0cOq6p8hGGcWdbbiCZsJO0G6drzG3SgMR7tZSDMvelur8EFn2NgUW6nXL9bYqLYgppSnGvEjOUVRCifGURjnEEb+XnvC+4t/bZiICxD7LARxI4gIhO9CoAtvSO32eTYLR6nw4dqgx3VbHpzQ2zORRunJqacAHQafeSqKOi9U/K1VBr4q4F0dy8W7o12Ar4RTObXxBG/J4hIS/JUKpnO5dK6pCvLfabOm+swsUPUCRgQOVbu/d7h04qTVSzAPXYf4doyVTgDrHAFTe5vxn4iAYENFLEqxbyfcdR80LJfV3dKwXPWbzPfsl/+H/jv65O/ntdB6wgwNrz3X1hEIsaK4Bi/8hHI4Bz8LcXy/eUN6HU4dXz0rpfP1hEL+P5WfBLu/j3Yz9Ey7MSRopjrSt7ZvK3zf4pQ3+Lw7h0zpcwAyRXXs8/HR86cuOUjyEIBXWLmYo1vKcGjW6SDlebueH26CHEAuMP5eJpfHCZ2BhLaQOG6AQjPbxilRxcFE0GQt8lx2PIg87ITg/3CF3T5LLqkhglHwBsJomQk9h/ZhiVZCSnbA2Psn+Rv8qADoWMF4VsnIcEcULnPpZ9kx3L3s/n4pV8pwhAfJ3ZPyBn4MsmD0IJWt02whncaxKpgj6xUl8spGjMn7DAeIZLcT77zjKoM+KWikPYoEOMfJNnoxYYRT9OJyrgu9GCfEIaa6Ug1FZI6O2ANXNKvs1NudN1sJH6b7PA6LG0aAxcQWOKmd8P3J4gcvG5i5EzKiqHSsMRGYteJQoLy4mSdx/VwplP/0zO/zMzg5MS05gG7gLCLU7W5uLRAwDpgDqYX8Ca5AjtihmRVX7wfvaEJNBTVf+wu42xJtdoI+e54lpNv9KqkDv1bfsU4ti25pDcDasoMJE0+JK6mXIe+xY9akGA318aWCiNVMfNstsQyIXTv65NDEdsYAIA5xE4WstgI7uC0iZY54SjI3i+1D7ZFq64KIwJCBqQtF6VBP5/PQN3OooJ0tzASGw7utSTH3k2DPsVEWRc/uceAlhLmITPA70ywsKDPXwQ4zGMEOaEqMsB+vNfTnIFvn7gVGrSKCwMZlgC4mRVj38KIAxrMdh3s7j9Ko07XuVV9iSV7EjywLr2jef5CJY7A+i03lrM0cPenMYjmz/K6dmE9dCYA/gBX0O6WkG7zDH5opIRRZw10fql77wa7nEvMFwc0WgSuJWJDZgB68nkGlyayjyNPyArHr90003jiRHyEggDYxj5XZTJRrmEmfS6cYSIZVT6a7bQ4BZGxILYJG3z3Kg11smVkyNusk3GV1MTy/vQ3cIOxk1VY4oYvPM3pN95irtlbQsEBH7Qw3mDFfVyO/yyUzh72VhP52ruKCcJolrcGA+8NpDrZMkpxanPLGyFuQ3skEx0dpikWZjjTlm1OqIreFOiLtRt9jaXIt43y9I8avalgNzg3VRyZrRFOZHXQl4VmCzLkr1f6e1/2YVW3JAwkPxYowWMZqWvPwsIVvr24z4DHwc61QT7piOigKiCIrCR4S5MSS2dMITwo4E0uIo4CeFN2GWyA5EYKA+/uj6NIW6QgLaTLURiD1iyt2+jPr2B3v8jjGU6JjMvM6uoAO0vyoPzmsmwe0afD7LfOsq+RYPm36R/7Hvx/19PvHvPrIF030/1xJOHerPPCfaR0ZCLqMjXv+W3KcAb7Prw+R7sza8u72Glh/DFcFQPJvfmnpdfNA+siMeB8P3Bvp5/4e/+frnq3jXCrqsYJ44Qu9hHqoqk+Q+mAg2e9jr4Eff95/dNgyFGCgAfCDwvbPrJyi5F+IkHmI/KVIKBDVxxR9k3Wvu/X+LFXzsmXfhNNwp60G6TLQpbjF7PTyqnR/tGaJ5ys4wFMwTpS/4ocJpcBLMGzXwdVhQfzwsC6mTe1ggXyN3uxfaX3ErvkI/h1ogmtWBtxq6372uU7iEyGlVkH3L7THTeI+ptQwKaqhgQBlcjIdLzIrSpBqY/KSEBdeKpvYDLK3y1sP0p03cvsko/SmKiGS9aBpVL3Lf+TQ5Xx+hd8Sqfrld9qejKOTqvxk9qNjQL6HsF/sF+50g9LDGkkYM485T3BPRvHe+pxaPmB/DsTkk85KT21Gi4sCk6HLoQCd2lED6F99Jhb+E3m0I5WSzxFLLYyxsFiFrPgv6tl7KHGTpJhQTs5YJIvZq+KHjII0ieO7nzMTp1YTg5HbCCoKIBiI8qkTf0H6av5WAmuYas5tJwFyc8jilBPGJvMc064NT9MM0iCZKncpuYeP8F7s3/kE9h9Yin/frn3BJdxYnlpdXJMrgobZbtyRyyeWgAL8FRYSgnCFod7Nr+u7bORbVUO3XTiJDPKOhx2amPALsQ+KUCwo5q8qFIobjU11dL47ngljoClaHWu6cYYQsHlDtSap7+hlnIdf3Xf2xE84meORWqpJQgkUHhj+BYbJ5DMS3G5qQq+QgbxrgYGKeTVH9FO7rZRbDIpMUB+IXaoQbAdktHhuKkaNForio+UMCZYZfyVrjJvBbapUiHWocR4L8pELOQGDv5b2beAJ0Plb/oFgCtZpLfhjtc4+T/lq/aRO4Tc2TaHgSJX9QU4zQcJz55ey9jZbeVNbpP8q1gXUVURRCm/jTiqVGeGTVj2P+a9bEzAUWVBd88GfYpw4vbEtMMslmbnMbmC7mRnMYIDK8E+L0JhQ73EOJrTHub2yzWhAI58S1Fpw5bPiXUKt6UEaQ4KV/r/QPeaEna7e36LqnyLEI2nC9ZElOhm/dpLcqo4FgCI4Y1rewH1DCOdDpgLf+6fJFo3j8IU4U6g440z+I8kJ9Ij70aInn9XrXJsdG8csQqu3MrIzwby6grCxHziVCN2+HpUKvdwbqQjTmH39ez0lnIBtiIUJHbRGcxGrTiDcaS0aUoyjGbOUFnzfNj33sT13t3YPteSrGMRMcYAmH70fAYlgzers40Tlck0/epZQ6oj34R0NBPfUGh1XpLb4iOditQFdLIoVSVKsYRRyv0YqXoTWvXOqe96uneJC4dwyInfgArcy6XWNfdaoiw0c9jo6vRju/FUiB56amPuwUlVm8RF7CYVOFwO9yNs26086n9xBXBd8aqaDyO8k6vW073Vf5KHCCQsBvxRIz1R6nEXF6LKyTpV/KYkBS4UcbAkpxo3G4sMxor5SDsFujcTRbKUcUTrnaQIdSDDNp91Ptnb/firZrc0UbUmwOl8pUZal68AEyvuRZiLa9RDqzYzrlHAN+sjMI7/uLpJzBwLWZAvVEpS3mz8x4F2GLXx34HBW3nUl/S3X671971qdgvTVIWEqyF71rZyDt9rGSfG9dKyPHJS52w0zcAfdK4lx1IYXMgsGIkcWwkJfh08g+Wz/NQTSlw1zsCiVmaJ81/uS7E5g71gzg6m2VWtyzMJOGzP2pwnjhJIfM9ulX5VXzCUu3TMs86gz9wMtG+oh2KMJrKG1UKinS6qRxJpuK+n16FE0l5mmVzJrxf7u17ZDxviIGcQ+Agu/M+E9IZ40mOj1w6oi/jLE7+n+89iXgqTJtOstM6EnCgqE+lwLCoZaY12IjDkPWF2UDAxGwp0b4r9cT+snAFkQK2zRU5CeiaK+LY0VnSKOY8rv9ShQWfv5cbiKG8uGcCB+y6UKWWjJFnuu9Q7/Ns70rwTrJNVOcCej5+v9Pe+ZEHJRFC6dI4sj2iREzlvCKuU2KQf7udBadVh/IbfUPfJ6rjaAjszkuJsoK4pE7N0fdyQ0xIGIlGFzABhQOLaiKR7T0JyQoPEI++hBpeRNTECG/lEqonGOQGV4TeKsdVDuHglHSUbUcbiO5k5YU61xKBgd/lcehPaSI/DJZwlhjOgM/BNuvPf5Xa3p5zI4wglVze5XQA4OvJEqo3fsqOKfOTzggRv8+t6QiK2IpAzcF0EJNsm+EhCCq8TG4iU0oLMSBtVvOtEOdFXwW4Kgl8u9ne9bk85qU65CIHDTZiIb3UG6hZ1FT3q6vOCAGPpXG3HNTEKV5Sga4oJmnyjPrI80EZVCpEKzEgm7cH54FhJR/OdG32jqW6ApYwVgKuNEwmkly9JR5c/rRnROPi8oLUertNGZT7Tfm24Hg3ldJVXFPWKI34Zz4OMsBJjbHhdncHuQSf5Y8jqz9f6+15qquQQ6ALpp+ZotAqB9BSka4SNOCu+AbvfiOl+qdVDkhLhb4vNWDAPwBLQsFUWJDwsv+reio7MtgKkYF0o+131RCFDNoURR9bmgTdsNJ01EMCA3aIRv8HDMqaa/UdpHVGQk48oYq0LGL8hltLoa7IGjfSOdQETrMR1eE4DWLfZbrmLNGRO1VIIzq2Po0HyAVs5BurwNWaacM8VaWtrv2WUQQaufZhncFWU1eIMDoyJvLJKrlgxunfiSF6VBOspGhbPLHS689wg51S7ud8LpPRlcXY7YmdpXTdbnnek3GFh9E2M5RmJvrj7mV93Eg/MIlCKMOh2CX1p760Pmzi6ADSiAxvLrfdqf8LHX50zQO6VoUxL6lF8U2JhY7y7ZDuaxldVE+Ca7XwN7M2BaAG7DSGi/wrl24Mekvr7LS/5bQtGYyU5knGpVldg52ZLMwRzbHd6HfXdJDpY++GE2QrLWokZfolYerYHi6sppcK/ucF/QmW4gUOCKIdUbRneSt5hMTERSyZDJBvF6ZJf6V4ix/I/kP/v9Dou3GE06WmWQ+goD61/fU0vlqMKKMhJjP4ZYndjZV/iHJigoCEiQ3ccAql2iA1NFQMBDLiZ2Qhz82vjcLMuV4BkaXfV5czXBd2KMhDQpKbUR/PbBGXof/KfmRiknsBsNcWVNjlvRNJElAf28owTZUvmaUrf4h8RbdUQgzskipwmwny29wQLVrl6KseHX594j6sVbCl2IETHhhBv+63a6HPRfuaKNQ6CV6OA5W3MhZLlhYUjFaRpqRqUXHnDugCD8G0goQS9I0OTNPjR/u12nb//9QliyR2dUOfwiNiIVXW/e/kbpV3gIJB3aJx7O/d05PVwjMYsSfU+k/cRJGYSHExawMLFUkwIifyw4RXwNoxMSCJDQzuRe+MpH3+9P+vNgaA5k8RM/liXH/UlW10AXFRioe5kdbQyGVAv+0ZkfRGkCsdbt4XSKXDWSNVzAIP3uGh4qxE6Tmy5AL2x711xpGZT6FAMCBspiDYV+8mRoBMJ1AXBvBsg2PC6v3Dm7Y01APHZT0VJj+oXmqrOVCSI4kvwxovx2xW410ZXbkU0VW7Erxf7u16fIPbYBqs4ANmQOTLUs7a/Zj4V3Pva2HaEbOd+nWwB8WTVG3Aj1kFYdTqZXTKRZ95mQZPfJWBHoBXagd0prWaPol+zveweNSin+Dr3aErC8BsUNdnozBdOM9qeD/i+LvJ9wvXI8/37PwXqmsCwiHO+Ce9GfQjQeeZtkE50MIp0Oc1NAFZKSh2gwkUcjVO2P/LiFF9bSOkeMYerjENS7St9slzq3/WZ7jJ/RZCgBvyFM1XDH959jgA3F1GVM+odoNPt3udUlWTCvv2M0FdYxzaD5Kj5vuPYOcVXJciSrkRvQsgi/Y9/bxR/fONX8zlXSq5d4eR6m8Ebn1P2oE5aa7Zjhf42r01KAyqQYmGArD1xiSHF/8TRivKPy2UA6cOvTymLinfXPEP+QFZHDFFEHHU41M/j3/mJhx7137ToxQkkItnW44xSQRXKxlidq4pyLNRgwniefoeNAP+YCKQ7KHtbx1/uSUiJowAd4JIearX6FEcQU2iL8W2oYU+YT9sQQb1AL4cD5owR7gVDNA5NDWgQtIunshqJVlZFQDLX4aml+AneSwK+T9/KadhRg6p01UYRv49b9k6wiYBSD6DN8ev1sOVeWcy1HK00J8wmxwaIcejVj23LyN4UyDDw4JxGGmDHfzK63B58R4r9RKRang3OYGFR4vf81V0TUVYZCO/f6c/sO6rWMiQoUKfGIGgx3roFuut5E1pIlYlfcOdxsEEZZnjIjFjHifI6m91yMuw9fb5wb2Wg4gwdGFwdYMcp8hIiziwgF4EBnCmx5nyqDGHWxwZrIOg3hch3tPuhJOde6Zqgd7AOCyUhJQYNpc0xyOlwx9yJ3Dvt8iqRPHmOWNrmzuoU5Kf1+X+RJYyoXisfaoN87e8F5IINMgarfGo+qyPsySeW0kwtOnRD+gou6FxMSvlcy4586sS8zT075j9ZPogGVSLRNRIWpg5wWqtH1Wk1jrpFjkBYGrH9PmdPrDy1FgWWKSJdiEsTpYWBVSz4QDpiCUqTOLDyP8bdgG+QxbJ8hhrekZBSwwJ3TFOE35Gi0KlmDonnO67qkBaw08L+t/Xl74Zv9sT6RkYH1Bv6Po/To5neqpqPfzOcjqBPKmrJOmYzWk8T27D9C92V2/bBF09nCFdVYbCMJUU1QC7pCJ2hY10K2EuBXLbBZd/E+DCr5MzEcf5oZDlZWjMfxenAVpLDoAeow/Rw8cuew9CJuRHtHun7UyMbTukaheKFPgByHaihdNCgM5oJeb8ePXpWXG3ntGKpQsvzHHmAdtBbA7u9Yt45+Yhv1aqeaEFq9DpTFY04z3zBRkpUd1Sx7ocdXZbwO+kD9UT76z/6FyyzoNprAh4MdOWkxCZnKBtNge+FeFH+4NQJjMuNDjJAG3Q6rj0FMCGWhIQeaD1Ia8LmYEjDPeJJ7QRx2hw8ALaFc27ym+OBCA2T5AEd/+VvpA/ip//vMXobQ0mh8SpuL9WEIz6jycd4zQA76j1VLzMAXMR2M38Lx3DbGyyq8czMD76qx4dv2+JLMKEKL+2ULl//xpxulEp2O+r+2Kb/7/kfXFMldg0lbiNt4UHmBf5Z/4EPJY7gpVmUyG2eFicPUA5gnjgihLsjfrwrNs68RQ1q7M+o30EZjv+OqRAd5ldMBOr9y6slBemoMWbHHRbmeK2AMMI3JBpVFAo9C96zFYVxBCrYsjCK0qo2EHOGRqoJxEt4Q4D0Iy/OyZ8YSkoYFcGDsy6BOruXHnqk89sY305b5UZPdRLmQAfZM1ZwR2O5XMojkSHg3dSMLcwD0zPfxgRtJG1Moyld9t/fE0fw3awJYReH2+hQeAlYhqTSwr24As8m/oY5+e/hDGNR1tY1kZ/5LYJFpxMZAt58kF/RzeJ5rFJe57Khw5Jvw+7Dr+osl+JNHOFeqAHdub4QPVQTnItmPqpdsOwqoL5zHo34Hh/hqprIiUHlOsuJRuAbSNZ8WeiNfTeSWAoKgFI1aIU03BFHrKdEAaYyJHhh4EfyCja6tBMzDfaV26v5NdMmTGoQSHElJXkhXBPJY6r9j0lxZj+7RwfrYgs+4adY2B57Jk40rxXFB1+fDB34HLzjRvDgRotn2OJu3bkmuuUdY/+SWoJeUv/fG09FawVzVE96T4orgtyLsqJoJluxAfoQDUamKq+TPrEtJuduGUoRxD4cSD4tKFyB/EpcYwtyEzyV9a7T8Y1v6+awbyyLs+xYygtPn/Ft4nTVKp/Yo0A1gaFYztV4KPDGnAC4McRX1QTDy7+lku/vqgi53SHmozMMLUhHsYRFZVhOf7eQ6He9l+CIxQsyeArqENQnR7jieLgdV4sLXXkntC2SS3TEmTAaCRagEzoJJRkr/4+BPGZU+RPRWxtVsvv9L3SGwRVAvBa/00xHUm5fG9MmzE0gCMwmER7DMKM+xjR+JUvqP6RZEiybW3BEq1jMlE/sH143WJDzTfzVzFkrGfe2zUc0cJbzh17qDBIF4T+TDcbRPL3JHYhOeSpkgbM0upu8Ybx5/bNI9F4eyYOuqKKp+LjNcmtKcnxOExXvNsMaSGycoJagNG+Iw4K3Nrq0//PLBf+3L+MoREENaCMFQUKoyAPl25xHvOGOnjy6PUuYW41QDAtdcCV0S120r4trCzcgiBZg22BBgTTNGUhiXVIvBmLTnH9acfThKtY4Cuu2WsVvytfOpFt0BjckAnXo+bgJBzxhMPPr7a3oKzS1WDoutgRwNhfVAPJaTmAACDXFwoLY1cTflQZZ9wGZ7+NzJ4mjGBiGx5tEt/vzmQIDFgRPdecRNasqZAa9n92XWG9kCnWPCh1P5zTUg1rJdd0Ifh3pLglJW+K0zXWml0bDM0MANoY/+PoEzQfjsLHtYGgCcgrlHhuqru2tZevoxKmWZMMTLYQcrxOsi1q3ggkIBizqQk6l7HNoSd0kfIHvhCPKUONgJTNfwAUOdRIBAUuoxkfdbjydQaxBUGJVlK3T6QJEkIOYxac62twZxnd7E8r/WppdlmNksSZBgRmaqLREuZYqC2FKiYN+ZYpV+OavNjgLq7HzNBSqj714jpgpEdUHxCOUnGCYzhiM+Dn9e6Wjmaqiu94xHeScpNpGfhUcSLGgodqWiHUboQHuVFCIT0r6rCe0jhxw8JEg6VmarBB1PiwH0Yc1cDaWAVOxkbRNf7pYGSE48Hh1WJ1O1xf2dA5l8BzIWlTc3dqIkQYPM1ClGmAXWgeGc+MMI83tsmjt8Zd9cdds8E0jFj72UWjINBpVPnoapqlG35EchDbXb/qbrK77mWOQM4/29mrqufLD78i0vAkm2vIQDZYRI3HNopk8kjDSHxOKuiL5w4FBfH21Ruw/ffiUtJx5G6pQhEGmRyGkvfqqnhJHMAHGIDMWpFzC1Qz7BOf40v9giFvw7zKScWQMFfEecYQDppDA7VJOSAapID9O7Nw3UWUrqh01ifnPhhGK2dS+gXLUsOtT7mra5D45g/dIWUZZO9lAsppg4wTkaYAd6VNORyDNlrGVXif1MGzs9sQqYYFg1dGPvtg3ES31YEqqbiy7f7g07t5UNuoW+Ma3R45kMR7nlDXl3uuBiDpAPVOQqgz6HIity03cLX4YmnFeNwBG94axU8Njo+5wMJn3a/19r0/gGQGUyg+lQG1j++uXGVTo+e+3vzsaNHGkG/zOyrVfCBvfWkhQ2YnqlJCUfiNpggvYqPAun3iZQycD6+bQQc45QVylPspokHTzw1gnr/MTPIjSgJ3eKozYJ79RJxES4alUrt3dTy5sgB0v6gSaysgfzjPMtZjoJllSklGUb5YE5mvZpCOnG/xfsEs+f7zc3/GqPqzZmVjGw/vi1r+8Gkb2RdwahnJzgjyQtlZtJdFnQYBchGLuNjyHceJNfTSpFHJlLIl4cnRXtUIbaPKJCwAlDWs/iST+/fZvv1zyf/P6cZ4BDYUbeKEkK3Laf/NCgoG8zsc3SDgDdXjM6R9xuricvJvxR8odNuq4VZhkINqhfN8yUnE6tM3wUlSYRn0E9aa4ADCCVUL9R14/zjMoNECZu61PklNidtpekYEgQWknH8/UcW19FvFuLicsQL4z4eyEXbNpUo3L2MiSXE/gwrWRmZkgjNsV3yMpmxo+SOycZwBXaATI73jjbp5/rs5H94U+E0K4H865Ulog3ThgN/LrrTsB1vlpVU6EJyEB3zococaNd1grNtKKpCPEoECdyEBeEWd+ueT/5mUcsRQHBClqyLCX9htxgMlgp5K6jVEg2v9/dhptzQNHB3pPflKEslFTskpCQpenH9bC0aR3jWLChcZGmUCWe9upzIw4Gw2S9D9IVSuOuHmCOOVRx6pnHq2XfNTZqXIIFMlvz3BT4/kSsVB7NxR3H62Au7HgdV4NCK2hCAkiCSpsjN7iCP5BiLlRE7VYJtSEio/OsY84asQNFBUFpV//q7kWvevPnkgMYCy2wdZnHL3l+RMF3oIzn/qfqADLRa9Te5NyZzXhdmakslGzjHWvDllRRTXHOoXFfDAh/T+nmXV+H2ELgwAAAABJRU5ErkJggg==) no-repeat;"> | |
| <div class="logoContainer"><span class="logoBar"><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbEAAAA+CAYAAAClQSUIAAA5Q0lEQVR4Xu1dB3hURdcOhIAFO/b2fZ/+FlRUxEIRRREVFOk19N5EAem99ya9Su+9Q3ohhAAhISQBUkhCeiGN9PD+58zdDbt3792SBBG8L895wu7eKXfaO2fmzBk73AUUFuYjJz8faTmF8IvLxKoLcRh88gqa7byEGqt98fqSM3h6rheqzfPCf+j/NdecQ/OdQRjnFonNlxJwMSELN3MLkJuXh6KiAnn0GjRo0KBBg4Cd/IuyIDO/CBHpuZjlE4WGWwLw5DxPVJjiArvxTrCboJNJzrCb4kriohNX6Tv+jZ8jqTDVFc8t8EZTIr2V/nGIz8rHrYJieXIaNGjQoOFfjnIgsWLEZN6CU2QqehwKwWNzPGA3kciIiMhumhsqlFI4rERwTnhxoTeGnQyDV/RNIrRb8gxo0KBBg4Z/KcpEYom3CrAnJBn1NvhL2tSYU7Cb7Ewk5GpCSqUXnaYm4nbBD1sD4BmdjtxCTTPToEGDhn87SkVit2/fhm9sOhz3BqMia1yTmLiIcKbLCah8RWhnE13w7DxPTHCPxIW4dHnWNGjQoEHDvwg2k1hWQRHW+sfhzSVnYDdO0o7KV/OyLHYTSTMbfwo1Vp7F3tBkFBKpErXKs6pBgwYNGh5w2ERiPjEZqLfuPBwMta97KLx0+cgMVzTeHoCwFG2vTIMGDRr+bbCSxIpwNDwF7yz3lSwIp/y9mpeqTGcicxGEWn+jP87GZsgzrkGDBg0aHmBYRWJbgxLw6lxP3dLhHRIRe1TlKCYkZYPYTXLBh0vPwCkyTZ59DRo0aNDwgMICiRUTgSXipUU+JtpXRdKCniBie3q+F56a51lm4bgemukh4hXaFZ8bG3uKND9n2E01Jk9FmSqFq77yLI6FJctfRIMGDRo0PIBQJTE2kzgWnobX5nqZEBh/fpmIzSs6FRl5BUi6VXZhc/3ojHxcTcsVy4JHwlKxyDcGvQ6H4rU/fVCFCM6eCW6qAoEZ5m2Ss9DIrqXlyF9JgwYNGjQ8YFAhsWIiknRUX3HWZAlRT2JMLAEJvHR3d60COfb8ottwjkiD44HLeGPJGdizpmZGO+OlxS4HQxCfyUR2d/OnQYMGDRruHRRJLC4rH5+t8xNLenKCUCOxm7mFSMkpixSIOLLyi5BXVAxhNV8C/lAo/vJz3Q6FoOosd0WCLcnj2FMY4xqBwmKNxDRoKC8UFxcjLjkNgVevIzAs2kQuh8cgKydXHkzDfYCcvHwEX49F4DXTemUJjoxF+j/QY5IJieUVFmHwyWuoPFXyaygnByUSY8IZeiIM7XZfRoc9pZP2e4LQ82Awhpy4ipleUVjnH4dT4Wm4mJBOGpVpwc0+E40X53migopGxsuKT812x74ryURkmncPDRrKAxnZt9Bv+mrY/acR7D5qDbsPW92RD1qgUq02OOJzUR5Mw32AcyFheKxhb9hVb2Zcr7q6feSb7th60kse7J7DhMTOxKTR4O9hXssxIrFi+ncb/1ngDbtRJyX3UKWV0RR+tO7vGPa/6IIXF3mj7d7L2BgYj5jMPF0uJe1q6+VEVJ3hobpPxj4c313mi/C07JL3+6cgOzcPsck3ERIVh/NXrsP70jV4B14V4hMUBv+rUQiNjkfSzUzkF7IWagqePBSTpmlO2LuKrbhJA1VkfDIuXouCz+UweOnydZryyHkNiriB6/R7enb57jtyXosU3sGslOL9NJQembdy8Pu8v2D3Pg10dTvDrk6nO/JFRzz9VRecOHtJHkzDfQD/KxF4qemvsPusg3G96ur2+Z8GYJeLjzzYPYcRiWUXFGEoaWFqy4jKJCYNpu/w/pmK5mYk7JpKLoa/GaajS0t46KC/LXdcwqErbHmoH7huo/uhENM0DOMYdwqzTkej6B8w2EXGJeL4mQCsOeiGYQs3os2I+ajXczzebTMML1EDebFJfyGvNh2E99v9ga96T0DXCUsxfuUObDrmhaxbehKXEJOYiukbD2Ha+v2KMnfLYQRcvW4URg2pmZlwPR+EFfucMWDWGjQZPAMfdhyBV38ZiBca9xP5evnngXi37TB81nUMfv5tJgbNXItZmw5ht+tZZOUY56002ONyFlNX7zF5D3My/S96z21HsfqAK3ZT+FNnAxB4LbJU5K3BMjQSe3Bx35PY7dtF2BWchIenEhFZIKOykJjwbj+BSGksm9Drrmaxwm2VCEeEVHWGOw5dSwEfwGYtMCOvUJjVS46HTcPxu1Sd6Y7TMRniHe8FWINxnLwC7xEpVP6qG+xqtSUVvaUkH7eG3Sf0+dP2OmknCX/Hv/EzNUg+aYPI2CSjeD0CQmH3eXvpmY9aGQt9Z1+3E1YdcDYKYwKqu3WH3fFF93F4rGEv2NVscyc+StOuli4/+vxxvvgZ/p3zRX8r1e+CsJhEecw2o/HQObB762fTd7EkH7eR8kUd7eEG3fF689/w0/B5WL7PCXn5Oi1W47RygUZiDy7uexKLzcxBXeGNXn0ZsYRQSkli4vzXRBe8s9QXP2y+iG8oPb4YU5wJsxDWMI53VvoiODmr5CVm+0SJ82TyZ++EccUvOy+hoEh5We5uISo+BZ2JvN5qPkgiLiaELxzvNAweBOQDgaHof/+sPZ75vg9ik40PcntfuoqHGhAp1jaIUy/03ePf9cb6I25GYQyRmZ2LNuP+xLMNe0rERA3VKG15nEp5ozBP/dBHLC+WFS1GL5IISZ6WtcLlwO9A5WVXqw2eqt8ZP/w2S0wibt/W9kXLAxqJPbi470mMPV1UtNIfoq0kpte+aq49hwNXUnA1NYdIMw8xGXkISs4W58H4zjCxjMmaoEIcRvGNP4W1AfHgvTiGb2yGRV+Olae7IexvPDt2wjcQn/YcTw2gg0RgSkRjrdRsjXfbD0dCmrFbrdKT2G0UFhbBcdIKacBnDUse3lqhxv1Ks18Rk/QPIDEjcSzRIN9sOxQ3klLlyWkoBTQSe3BxX5MY38jMF1qycYV8X0pJbCExsa9F2tN49wjEZrCVoemMuKCoCEGJWfh49VmLZCT8JY4+ib6HruBmnqRZJWTnS5dxyp81zMd4J4x3izRO+C5h1UE3vP5DX2oMRF5MYvIGYYvwQFGjBb4dOB0pGcYGKqUnMWAADUSV6ymkZ6t83gHvO45EXHLZSaJ8ScxAPmqJ1mP/RFGRadvTYBs0EntwcV+TWERarsVzV0aEYAOJVSBS4nNdiVZYsu0MTsAr7OJKbX9Ln/5YJzTeEiDOszGyiYRfWuyjaqUowkxxwZtLz9z1yzQ3HnPHS7/oG4ICueilrqPYz7L/pA0cPmuHKkQoTEiPNOyBKjQQVKawDrXaoCJrcdWbot3YxciQlWFpSezajQT8t+kAQUAm4UoabQdU+rQtqnzZBc826YdXmw3G8z8PwOMNe6FK3U5woN8q1pL2zGr3mYzE1JvyZGyGeRJzRKX6nUX6jzfsKeQhyltl0iRFGSmVgV7otypfdcfZkHBom2Nlg0ZiDy7uWxIrLMzHDK8oYY5u7b1g1pIY76+9Ms8LF+IzZckqg4eX4S7hqMy3OZtZVmStqt76C4jOkCzibhUUifyYI7EK01zw0Aw3bAiMh2QUUv6ITEhBjda/SQYZ8kZgMKByg3ikflfU6DIKI5dtx3HfAARFxCIqMQWxSWkII5K5EBqB/R7n0W/uX3jx+94YsXSbMMs3RGlJbNSKHahSu6PxHpiBVKSw/9fuD6w+6IorUfHIys5FTl4BsnPykJiWicDwGOxz80O36avx8i+D0HLMIqRmlP0GAbMkRmTZZNgcJKdnUh4ykJByk/IWB9cLl9Fr1ho81qiX6vuId6IBl99bI7GywRKJPUMkdurcZXkwDfcB7lsSy8nPR4PN/iYEZE6sJrEJzmi40R85Nmg/p29k4vX53ma1Ql72bL4jEIm3JE0sM68QLyzyskBibrCf4Y5OB4OhtKRZVuTlF2DahoPS/peaBkbkUIE0h/9rNghL9zrhVq6Uf0vIyMoV5vmFsuWw0pBYUXExGgycKu2FycOwUP4/dByJgLBoo3BqSM7IwrnQSHr/spvYmyWxT9qixaiF8iAl2Ol8Bg8zMddWCEtSgQbcjpNWyIOZRUZ2NmISkwWRn7kchpN+l3CChM/NBUfGISohierGuglafkEBaaupSEpLM5HE1DSxpC5HYlo6wmIScCYojLSbQLhdCBbeFKR0y372MZsIKSElVbStsBuJuEZpXYuJR3hsAqLikxCXnCKeMYQlEnuW2uNpapdGYagcI+OScP5KlCjDU+eCcO7KdZFOSvpNFFswuuGzgBnZWYhXKT8uC8MjFbfpH3sVCaaJoVfAFZygSaLHxVBcjriBaKrP3Dzz/a64uAix9O4hUbHwDLwi6twz4CpCrseJvd/CUhiIZefcQgLl/3p8IkKvS2dDPS5eEfXKk1hPymfAtSgqk0TEJaXgVo7llSvGrdxcxXaVSHIz847xGyOb4uR64P56ktJ1onrgs6BpmVJbKiuJpdxMN8mHocSnpFDZmbZzCbepnWSJ+rkSHQffy+FwOX9ZlA3n0+fSNeE1RJRPcjKybt1xgGGXdKsQT8zxNLufJBerSYw0sQ77mTSsR1puId7ne8vUSIz3xEadwnjX8BJyvJ6RiyozFZ6V55vkvZW+d+XMmFdAKJ5r3I8GUWoAdU0HUbZKtKfG8dXAadSAI+XBS4XSkFhcShpqOI6mhtrONAzLB80xfd3ee3KIuCwkdjMzAz+wib6KkUoFkmZmwhuCD5i7ng/GgLnr8WGXMXi0YQ+J9DlvNVsLoq/SoDvebDMU/Wavw/EzgRYPfvuFRKDR4Jn46Y95JsIWlMGRN0qe5TN3J30viSMHT3zfR5d2K5FuxXqd8FbbYehPGvrFazGqB+HNIT41XQzuf5B2/+2vM/B6y8F4+se+qCqWaXuhGrVjNob5st8U8cy54AjoNVhbSex04DUMXrARr7f4jdpkR8kKtmYr0U+epXRaU53vcPZBXoH6e/Ay+uzNh9Cg/xT8LCs7/jyDJo963My6hT1uZ1Gvz2TqG92pPfBRFansKtfviuodR2DaXwdUj4Twasi6w274rNcEqd55yZzzS+EfbtADH1F7WLnfGbEplpfPuQux04CTfpfFSkojquf/th6CR77pIY0TnDeOW5e/CjRuPPNjP9TuPRFjVuwQKx7yiashOP69bn5o9Ktpu/pxyByMWMYrDxJS0rPF51eb/Sq2CqSjPa2FF455246IZ8pCYiGRsWg9ZolJPvTSePAM9Jq5FknpppO+bJrMHz19EYPmbRD1U5WP+nAeuOy5bCifbKRVkcrnuSb9UafPJAxdtBlniejY4YHd6Zh0Ih/ze1BysYXEHA/YRmI3cwvw/gomMRXNkLStR+jvAXHoWcKxsDTdcqjC84b5meqKF+d5IzqzfH278Sx64Y7jwgDDro6KaTpVysfth4mZT3mhNCQWFhNHDWWkckNl+agVukxahlTd7OzvRFlIjGfjPWeslY4xyMPWkTSx3rPWwtxyImtLnjQ77jRuCSp/2UXqQFxOfCxCruFxmX/eUeS3Ur0uGEhkdi6EB3tlONFsXpyrq6U/D2gg1G5OEhEygq/fwPDFW1GZ4pTOvsnS5nQ5T0Smr9CgsnTnccq3OgEYIj4lHXvcfdFyxDwidSnvIn1+D16K5bSEdJS+499osGs1ZjEVm5SGNSTmFxKJ3PwCoR2//PMAyW0Rx2fYTvmdOB2Knw2Mpv61H8npxpqDHimk7XeZsBR2/9dYendZ+f0wZKZ4Loy0yP4z16DKl52kM47yfiHKTnqnWl1Gi5k+a4GsxfERDJ+ga/j+1+kS0bJlq+FxGMPwRDiths/H1RjemlBHdk4+GgycXpJmSVlzPPL2pI+fy4TTpn74+i+DiGCOknbCRlPK7XbZXifJTZS8TVF6H3YaLZ6JI8LtMWMNhJsw3gfXp03pMTHPogkCo7QkxhOHH2gyZHSe1FCoHTsQEa3cd8qElEOJ/EZSe3eo11k688n5k7d5eflw/t5pitq9Jgp/j3arLsSKPSb5gG9OrCaxCS7ifJZy8Svjeno+3v7ztKImxvHbjXMiYgxFYvYdImKP9Za8jIjwRGLPTHfHiQjj81ZlBTeSJr/PIi1GoWOLwu8oZl+rDrjIg5YJpSGxpPQMfOA4SrmhsvB+HcU5cvkOmpWW3eLQFpSFxHgpoiFpOqLTyMNyndDs86+j7lBbSmbNc9HOE3ihCQ267/0ijG4qWGu9yR2velO81+EPsSynBO/AK5L2q9A5KxAh8Uz0cmQM6vQcR6TWXBoQ5OkYhqnnKKwuq1I97/U4b3GJK4UIouuUFRAaABOQOaMeQ6H4h/y5xWoSe+G7XmKituqAK6owUTIhyOM0FI6D8/JBc6GtMPnJwVruoDnrpHqRpckaduNhc5BKRNeUZvx27/wkOQBQWg3RC/cXmji83nywMHJi7CaNhvd3OR/idza8kocT+eUB1lE89yNpygmk1aqB8+TwZWfR/3kSZRKXqujS50kUDezNRy5E0k3lPefNJ7wlcpLHQWVQs+tYsc0xaOEm6Rn5njG9R9Vve2HpnlMirtKR2G1MXLcP9jzhUhqHqG4rUHxDl2yVbTncFtrbNwOmUZ39bH17ZOGy/LAF2oxZJN7Prs+Rq1YRgBEZWEtiE53xFj0XmW695jP3TDQe5SVDg7h4r4sPSbOz3y6k2cVn69e0b2NPaCIem+0BNtyQ51MuHM8jRGSzfazb77EWPIN7lAcVeSNhoYqtSDMx7mBc4OXpDqk0JMZoRZVfgTu6UjhdWJ5tftBuGHpMX439Hn40uJjfRygPWCKxlvS7GubQbPJh7vxK70Sz8tq9JuCmgiNpRkp6JvrOXQ97HuB5pqw04HC8/JtcoygRLrM2qNF5NEKux8qTEEtyFVTyV4HIbTANNO91GCHN2E3iVhHOJw0QLzXpL/Z81HAp4gbq9plExNhGaqNK72cYp+HvlN+FpO1B5+3GLInRs0807AnHiUvx2FddJA1EHr+KVKBJRuXP22Hu5sPIkRkw8fLqsEWblEmMPtfsNhZNh8+zTJiGIgbClhhG5b6CJpcviCMxHUziNyukMXSZusoor4bgPe8Xmw40TpP/chvQa7uq7clAiHCb0wSOtQ45dpC2q3gOleJ/r+NIbD7mjYdU2p1+jNhw1EPEVRoSm7B2L6rUp7rmCYs8DAv12wmr91CdGuc9OiEFH1BfEcvzahMO1siY3PQrBfp34FUKan9jV+xEQWER7L7b4i/IRj7gmxNrSYwPLjuQRrXkXCzNdKWrVMzhSmo2Pl133kgLY9P4SkRqDTdfxM7gJHF5poRi4XG/1lo/3d1iKsuPhvkmEnOY7IyBx8OM0i0LeBN44zFPaalIXgksVPAPUwddvr98tTBGaUlszWE3PMaNztzsh+PkQYEa9Ks0Y/3u95nYcNxTLO3cLZglMeqoP9KMO5FmpAlp6YiiTuAXGomtp3wEuT39fV8TLUzMfnmGSGFPmjH7nvLXQdjz8qG883J47jwftIDDV13xv1ZD8HrL3+DAnZZn7PI8cmd8tymmrt2HHJlGcT70OipyGkp1RYPMk436qC6FmhXO4ztNMXnNbkUtJi0jGx14Ka5Ew1CIg4X3q3g5h59jEUtPPDB1xA6nM9R1JQ3WLInVYQ2xs9h7EnWhlpaS8LNUT2+2+QM3ZJ5pePAet3yHlKY8HMlDX3eHmEQolq0ZofZf7ce+eIbEaJC0Vugd32z2K7VF5RULnrS+JvYCO0mu3KhtMCFVovLhNF8igmOSq/xVd2krQo2EdXljH6XySfAu+k5o+PIJND3//E8D0WLkAilteZy6Z7jdMREybCUxNtJ54cd+ulUDhbKr2Qq/sBaZZqytsnHZthOnYVedJyUK+eJ3obbIe2O87/xf6neijjgNnshwWVVviiW7Toi47N4SRhSWCcCIDKwlMd2zz8/1xN5QY79/cvAdYm12BcJBFkf1VWdxPj4T0Td5j0a/FHQbadSweRnR3owpvqIQif2yS31AsxVsHTRq+U6qMLZKVKgQaihPfd0NF66W316YHqUlsQwaiD7vNk6a6cjDyYU7IDfqz9qgGqVV03GkMFXXL8OUJ8ySGL3PY9/2xPtth+J9atjVW/6O//3UH899012a8cs7Mb/bRy3xCg0Sm457obBYebmNy/AdImlBdvI0aZB75MvO6D51Jc4EsXXaDQRHxuB8SAT6zlpDafBALRvIqUNXa9RbbMob4hJ9fpjzqlbmhvln8uD2xETCorREaijU4T+mWW24bCmTNZrZGw/hIdJwKjBJycPphcuP3rWG4wj8NHQ2mg6bK+Kz5+VU0gzZik7f9yyRmBDRHjtLf7lc9e+htuRkIBXoXdjbjeFgzeQ8adUuVRITceqXabl8P+E9pdaSVqs0IBsKl7th2Yv9xjZSeP4riFwhHAuV2ZP1O6tOUNkS7/UWg0Wb+LzHeNIcdggn1WcuhyMwLApB4SQR0fALDseGw55iwFbVXimPjX6bDbn/1wOe50mLlepPHoYnZlWpz5S8H5cTvx+Xj/CB2lYQxWFvfxGXLSTmGRCKT6iNsLW1Yp1S2b3beghCo0xXJfi+ufbjlkiTJYU2VLFuRyzccULc5KHvc2yZyBacy/ecQuPfZ4u2wJMrbid21dicfYrlpThDsYXExPOkWT27wBMrLsQht9B0thiXlYu+x67Cgd1TyUjp601SARsiPC0HjbcHohLHbSOJ8bt+tfmCPMpSIz0rCz1nrpEahrwiWaiCqyn4PSwPlJbEGMd8A/DEd2wFpJJvE9F1AGq0VajhfdhpJFwvhMCSdm0LzJIYCw9QRpvG7aROb/T+jtR5O+M/pDF1nrwc56hj8kWOaug9ex3sxSa+6Uy2IsXVY8YqxYsA2fCly+QVgihNOiJ14BlEHnkGyz9s3v3otz3USUxIR2nA6zURW056i0sIz4VEYsC8DXiItT+lemahvNuTFucdYGzazr47X2/1m7pWRPFVoPS+p0HhFM2quY3yOTw2sOBrgniismD7cSSm3tmPsZrEKM0Xfh6IZXucdJcqxgirvqd/6KP+HhwfzbDnbTlqdOTAIonp06S28PIvv4qbFUKj4uDuHyL2UR2s1bKo3n4cMkvsj3H4Ax4XUKv7OPX9SS4/SrPrNOUlRW53w5duI6K5ICxCbyksB+rBVnY+l8LwJk3OFCdUJM/RpC3zlvHWzAEvdRLT51H8pfqo2qCHWLWYsekglu9zpjZ6QIxdZy9fE3FZQ2J73HzFs22IhCooTUq4nX3eHk/RhO3PPScNs1oC3ius0Um/dC5rQzRp+HrANGRkKa/4sGEIt1Gns0GIiEuSSMzBCjdTcrGVxHipj/fdBhy/isxc0/0x/7ibuvCmy4JKJMaHnJvtCoLDDDebjgawsDeQWmvPyaMsNdIy0tFx4lL1pSCq5OeaDBAFX94oLYlJ93YViZnNc036lTxvEoeqOAot5HH6P18Fc0u2h1FaWCQxS8KzcXqPF5sOwLxtx2ggTjV7VOBqdCzeavuHcqelwYlNeTOzTQlMD54pVpCTHwsNKF8QESUbbMZbJDHKd5XaHTB4wSZhyFBsYKjBy2kLdxxT3/NjIwAi09UH3FCkC8eD4nYnH1RgIxH58zqpWK8zupGWKQ2MyuVUUGC8j2sViVHZfdFzAsJuxBudCyosKhBn3p4kTVX5PTqLeFnzNTzYbxWJUZofdB4pyMfw2AHP+uv3n2L6vFyoDXQjMkpNT6c2I+WZ3/vClUi8wR54VIiFv2/Qf5rJMp8erA1b63ya2+rS3SdV3/Mh0oz55mVDWCQxXR4/6jiSNL8bYn8xvyAfhVRG/JfPo7EfVYYlEuNJyVGfizjmEyBNDHhfXf4c5eOJBt0xf7u61SyPha80G6Q8OaD+wX5iU2kiZa7v8srA7WLpdzv76Uwad1cTEyQ2/hTWBSTQ4Gn6YrxU2Hz3ZUUP+rU3nEcaNYTsPG4MBh2CXoANNJ6e6W6TNlb+JJYBx8nLzJLYs437ioOr5Y3SklgJqN7OhUbg20HT8ejn7aRGqRSXmlBDrkgydcMB6qymkxNbYRWJcf6EKPymEz5vw2bvj9NgOXr5dlyPS1E8UOt0LhCP8FkiORHR56oUB89UeQDNyb1lKnk5FG+C2HcwIaYvuM7740bSHe3bIonR93w266bKIeaUjExBzqr1Q+U2ed0+5OZJgz8T30AViz4hVNdvtftDWC3aAoskRu/B+5PrDim3Ox6YurCVJFveycNyfB+2QBPSDA01DoskRmXy6Lc9MXfrYYOU7mDB9qPSFUjycHqp1VZYJkbG8xVPxmBt6pc/5irnV4RtJyYsrF1YQm5erji0zYZE0YlpwjqPz4xyH7wYFoWI2GRsOOahOpZU+aKDuJzWEBZJjH57jtriuiPuRuGUYJbESEPi/b2ZpOXW7TdZ+RmaTNnTRKsTjYfmCCg1IxsfdRol9sxMNLE6kpHPR51HY/62I2ISkUhaLGtmXH5KsHtm3t+znMga3/l4pYq+TYRUhOmn2fWVqYGJPYX731JftNsbjENXU5FUYtjBKMJq/1g8PtfTKu/3+rzU31R+y4lcuH3mrlefqVEHe5oGyqBI07XhsqKsJKafPbJWto1m7TxjfUoMtNKylsngriScNnXw4zQ7M9NurYIlEmPNgQcjlkpfdhGupET6vFym1Kk4/zVa4MnveuGYr3QOyxDCPJkHDHn50UD88JedxSFNdpTcj8jARKjOe85YI4jSJLwubX+DM4GWSIzvZPt98SaD3JmiwaBpJuFKpGZbcZg1O0fq6GmZt2gg4IFCoTx1ZCFMq22sM4skRoNp7b6T5MGMsO3UaWlzXh6eP3/UCvVIAzY8PG6RxKis2U0an1dSQlB4DB77tpdpOH2a1dkwZo8wxFDC74s2S21JqZ6p7dXqPt7sdgFrHh7+oWJpsS6VDWs0Vb7uKmnQPHHkCSRp4dymq3zdjSZhCumQVKbB3dXf+NytWRKjiV5F6seOk5YZhVGDWRKjd3/km56SoYrKPiEvv7NDAUuWzGy12XvGalHuJm2gju74CB8E51UE0rCfadwP9Yg4ufzOh0aWeBjRw44JQo181MRmEhvvjE/X+iH8prpXgz0hybAnTcxuikJ43iub7Co0te+2XIR/QgYR352Z9XDnMMve7/VCJPbTjvIz7MihmS+bmaoOvlT5j1Gj3OPmJw9aZpSVxOTgZZitJ73x/e+z8HazgcIJsSAIpfj1IgbElviBwsh9O9oKsyRGHfitdkNpoN8spD+RSGea0TPR8A3Uz/GdaEqb4py/z9rRwDFALGUZYtHO4+ZN2rkzG+3BKYha2RB5uF+4Y/ZuicT40OkuF8lKTA3txi9RP29E6Y1YvrOExNjriNjzVBrcWEj7kAw2bINZEqOy4IH29yWb5cGM4HLusjj2YJInPYn1nmwTifFxke+HzDZIwRh8I/oT1Bfk4UqECHUnTeLUlgQnrtsLB7a4VKo7HYmxmys5sqis9rr74eehs6XJBO+bKx52VqlTmbAm5uHP+9B3YJbEKG/VqM2tP+JpFEYNZkmMRRxQVygD8Zuj8DbCt81bAi9173HxRSXeT1brPyz69sXPcLmxokBl0G7MIuElR0+Wdt9s4oswrSQAndhMYmNOovehUOFSSg1n4zLxHLu/4vNgCnEI0d3u/N/F3vCIutNosvML8fKfp02fl+djqhsqkdbZ95jtnVcNvH6+/ZSPWRP7StTJOk1eIQ9aZpQ3iRniSnQ8RizdgRqdx0CYX/OArWQcoBciiovX+Pyd8kBgDcySGDVgNhVXApuRbznljTfaDJGITJZPcWiZZqTsSkh/HQsPWLxcKMzK5WmVhwgruzuTJUskxrdq836OOfQnDVBonwrh5STGxxAU9yx0wh47Ll+/4+rKWpglsS94wtYRaw6bX7o6ezlMfcJhK4lRO3eguIYs3mKQgimqNe6v3E9YqO2yGy41zNlySCxXKq5MqJAYu8oau2o3TRZaS1qnUtr6FQ8mOJ5M6W95lz+nEyYxeT7NkhhNVN5tPtjEUlYNFkmMJ7WcjtK7MIl931ucmbUGvGzelo9+6N9fHp+asMssbgc0CZq77Ygw9LDrQeRytw47lzw/9iRmekchX7cRpwQ21qix9IxwGiwPLxeOrxGR7/V0qaEXFeVjhHOEopcPo3BEYg8TEc44fWeZpzzgFxyBx/gMkNqgQQXPV5mwmXV54m6SmB6XwqKFz7NqNKsXnUWeTsk7dhROjfXniUoDSyRmzmMHY4/7WTzBh2yV6oHK47EGXcXSEoNJbObGQ+ZJjAmHB5rSyAfNxQa4vsVbIjGuK94rUcdt/Dp/o1hSlYcVIiMx9vRvr/cuIX+WpAJ9ry8LW2CexDriyXqO2OUqWbCpgQ1ixGAkz1cpSewhqu8p6/cbpGAK9g8p6kUhPO+hmnMZxoOlrSQ2Yc0+SHcJdjQtJ64T1kRpAH/ym+74b5P+eOuXQXir2SC8zNab8jR0wjdPyPNpicT4SIw5ryKGMEtipIVV+bq7WNFQbVM0meBD9XwLhzW4npCMntNW4CVeMRDlYbCyIS8zQ+HfqP1Uqd8Zu0mjs1t+nt1OWSYOIzKwgcSEtw3SfvYb+DpUQiFF0pC96VtJqKyRjXQN151iv42raTmoIjx9qBMZL0s+Nd0dh69ZVnltAZvPNhs6F3bvKXRsIdRRSB3+7reZ4FsDygt/B4npsfG4F8Q6tTwdg/RGr9hBHKbmpdoyykpi3FkbDpymfP6EBzuacS/eeaLkeTb/VpwF0rP2FJ6XR9is+dkmtsuTRFiGXjTMkhgNEE806mNiPm0M20iMDTb4MK2iBRjLx63gZOYAuBoskdjTNLAcIfI2B/+w6xBn7OR5Ki2JUVxzth41SMEU/2s9RJmEuK5pAsqH0dVgK4mdJm3kKe6Xggxk9U3PV/2mBxwnLsO2k6fhGXgVQZE3cCUmHldjEsThfbWD20xicufhZklMHNcYL7Y8rIFZEqN3f635bxi1cifebjdMmiiarMw4ijT5mEKu7sJia3D+6nUMX7INtbqNgwMb4PDEksdSc0v9nDbl6c02lBeP6JsWNRi52ERi9F21BV7wjjFdM5ajG2uFRELWmM1zvDVW+yFRt5mbmluIj9f4mSVBJrEX5nqKc2blCTYjXkKDozgZL+/YeiESY2OBwYs2WmXJZA3+ThLj5SnhXVopLRYanMfSQHO72PrGK0dZSYy9eLBjV0UPBUQUlYnERq/cVfL8brez0sAkfyeqq8epriav3yfK2Dsw1GbxCAihgfiOoYE1JCa/9NQYtpFYRnYuGrIz2w8VDChYiMT4/JmtsERifJ/YSb8geTAj+F8rfxKbvUXyxK4GcyTGZVqeJDZo/gY4sKYpr2tKy6FeFyzYfkRVO+KrWRT3C+uUgsRIM2JjLfZqYQ0skRj/ts/jvFhxER7m5f1G9xwfBZiwdo88erPIpglcUHg0TpwJxKr9Lug/a604fC+sQrnc5W1NJw9/TeNfXFY+qs5xt4o4DAnEahKb7IpP1p1DUKJypRlinFsYHGawybxpmnLhZ54kQorS+WVMzytCi11B4tZn+bOGYd5ZdkaY55c3eK36eZqBq1nuCKGGxjc4d566QvUMhS0oLYmx9mrrdTTRiSmoZM4hLnXYuTQblnsUsAVlI7Hb2O95Hg+x/0OlwYbKg0lspLgYUwLfz2Xk0cDg2Uo0CPWavc4g/rLh7yYxHvhHLt0uuTpSGgBoQGRN0/+q+uCtBEskZs3Nzg86idXvP1VaGlN49u12wxEVp+y9iI3VlvJkWMVqz2YSo/QaDJxm9S61JRLjw86HKT2+zukN1vLVNCUiT36WbzEoLdjSlC+95QPTr/H1MewfUp5OHfZKQuV0Kz8fdTdcUCQgNbGJxCa5oOuhECSpmL8aYlNgHF5YeFoxHrkwIT000x1hOq0qK78IPQ6Gigsz+c4x+fMs9tPd0XYv3zprbbVaDzbPnfrXPmljVolUDBqDA/3+CWkMc7ceQbyBNwQ1sEPZeUQQchPi0pIYX0HxWa+J4rS+m38ILHE6G060HrtImn3J09ELNXyfy2FlKlpLJNZShcR4c3ftYdKym+h84MnD6srj4c/bY7XB+aXEtJtiAFL0tkJk+Nh3PWnWfMwgJcvg26/z800nKH83ifGeH/uLFA5W5c+WpOuI6u3/MBkY5dAbwzA0EpOF15NYijQWsqeRT3tOUCaxWu1Qs+s4xCYpb2ewh5V3eKlOpc7+CSS220Wy4hy2eDMqcX0ptWcWIrg6XccgIU15fLP2ADgfxF5EfVDRVymJfX3KQ2FhPsa7RyoeNFYT60mMPXWcwpwz0VZk+jbOx2fgvZV+VvlyZBKrOscD19Ol9d70vEK02X1JGH3In9VLFSK9Vef5vFbptQVziIhLxvvsNkZthqIXJp0v+C6f7qjWuC9+Gj4X49fswfrDHuIMDZ9fWrz7JIb8uVV46H6aBjj2uxeTaHwYs7QktuWkD56gGUylOp3F4PlG26HoNWONODfEpqt+IeG4cOU6TtFgxG6H3qWBTjjIVUqHhQiGO5+cZG2FWRKj2V29/lPgxbfh+gYKn3GrDrnijyVb8W7H4eqDjEF5PPlVVwQIC0oJ3Bn50kd7tUGAvnumUS8MX7ZdnE3hZZni4gKxZMrC/y+mv/mFBeLywxX7nPFlv8k0IJoaCfzdJMa4Hp8kDjRLFpsK6bJ8IXli4HNvTn5Bonx40sTnmtYedsPXg6aJm42t8p34byYxnSbGhFGn9yRlEvtc0n69AkJE25PKlO8zKxL34bWfuES5Herkn0Biet+JfJca72GpHczm5+0pfb4PrUDmapAnRXyZ5/dDZuKQ9wWkZmbp+pbUr5gr9MLtmX1OKtY9SSU25OJIQ1NyUJmX8UxISFmsJTH+XHGqK47aYEjx/dZAqwiV4357uS/idddrpOQU4Iv151XvRuP9sJcX+yA7r6hM2oI5cLRrDrqKQUFxU1dJqBNVoIZgT7OvSp+0hgNpOyyV6HNFXhvnxsnkQYOU3LqxtCQ2d/tRVOWlQe6UHJY7MqnrlSg9h0/boTJ1lsr0W2X6P3+n2EFKxFGYEK/e72L12rsazJJYXT5MSXmivDh81k4qIyove84f7z8YnbtREHrHH4bM0g0edxBHmnC9XhOUTZvrsil6B9hT2bz0U398M2gGBs7bIPb+xqzcKa5P+XnEfLznOBKPfN2N6qyNOJvlG2xqZnwvSIwHgZ3OvqI+zdahqP82qEztkM8G8pI3lzOXLxvzbDlxGlZ5sddITIAnBJXEAWaFuqY+9UHHESK/7H3DNziM/n+YNLQxog/q+6NJuDqSiT1f2mqIe0ViDHYcLKwplY5LsNB7ONDk94DHeaN+xyS2ag+N0282Fn2Z2z4vwfLK0KzNh7H+KE/mfTB/xzFxR6DYxlApkxebDpJILIMG9nZ7dPtJKktxcgKxisQmOuP5OZ6CxNiEPjo9x7zQM10PhqDiZBcLrqRYw3NCryNXkJEjaWKRFJ7vFZPnoSQv9Pzvp0wHl7uB5fud8er3valyeWBUaBClERpknc/yUugdoigtiQ1bso0Gq47KA6oNwhcScqes0WW0sNAsK8ySWFmE8vjKL4NwOogHANMuvfm4F17jyzCVBgJD0Q8wXG56Ed/pfqfPVRv2hI/Ooaoh7gWJMW5m3xKk46Bk7GKN0PutOuimkZgNJMZHK57jfqnWnri9cFz6+8TEZFL6jc8BCldoCpOyyp+3h/N5Y6OZe0lijPYTlwlPHSbP64Xqs27PCdT+Y0qIjO8A43vjjFyilfQtXXnoRWlsq8Ou5XgpsyM6TV4ukRjjyLUUs5Z9RoRgLYkREbG7qWcXeOPFhd54wYK8uMgbT8z1EtqbPE2jeCmfLyzwQkCi5H7kdnEBxA3VEzn/ymEr0feXk5X90t0NsKPMWnxLL5MYz/KVOoAtQrPkzce9S5yTMkpLYm35GgRb/STKhTvfx63xQadRuBRm+3kjJZQriXF5i/3JjsKj/Rner4O0hKiE7U6+eI39IHIYpQHBGqHyZJdYfE2FHPeKxBixySnoNGUlKvASl9ggV8iDmtA7zSPNXSMx60mM0WLMIklDsbaP8XP0fO0+k9Fx0jLFZTo2TDroed4onXtNYnwmrDpf5qqmjbEpPE2gmo6YjzSdVXZeQSHGc32qGLBYFC4rGnveajtM+KAsIbHojFv4kE3UrTC3t5bESp5nTxtWi2l4eVyPT3bF6nM3UKCzSMjKy0XdDedUtTfeY/tmy0UUGHgG/zsQlZAsPGO/S4Oo0MoM3c6UVHJn5YqUf0+Nev6O40bX0JeWxNgPmTgfpZQPeV7k3/EgTAN9JSKHBv2n4GxIuDz6UqPUJMbvwcKDDHdAyp895e+NJv3QYfxinA227hLULSe8UafXBFTkpSAeRAwJR14OSt/xQEIDh7OCifm9JDEGnxvrMHaxpCGwFwkuJ2vqn9rrpHV7KHmp3WkkJguvQmL+VyPxVd8pkjGUocWyUjlzu6HJRYO+k8Tkd9SKnYrnFx0+aYMtJ08bpXOvSYyx9pAbHjZzsF4I1evqg67ieb4w9te51IbebmL8jLxc5N+xdspkSRPw6s1+hZPOI04JifGlgesD4uFAA74lZ7q2klh5iCC48U6oTBrVRM8oZBrczbMzOFHRebAQylNl+ns8PFXcwnwvwF6q+85ZJzZChQ837gwftpLOM7GwIQhbJPH+Dgt/5gN/Jb+3EktiE9ftM9ok5atUhEsoEb6NsdB37O9t9UEXg5xI6DB+GZ7mU/I8I+d09elwnvRxcT508ZT8Tt9VIU2jRseR+P3PLeJah/JEE/YW/u4vpu+iJpxH1ix0s0AeaF5pNhhf9JiAoX9uhauhnzkrezJbU/22aJPQMIUxC2tmimWjqyN2N8a/0Xd8ozEb4ihdgMr7mewZouSyRZlUrt/NIon1nb1Oel+F8HxLLhsCqZEYgy1o+dB6o19n4Hn98innR7yDgtD7VqIBfuLafZS81Hf4QtX+fCHoGz9KZWOYByqPKjTAHD1j6mzZEOdpgBf3sMnfgeN752d80nUsbmYZk9iYZdspzR9Mw4i+0gLTNh40SMEUfIOyqC+l8DRh8QuOlAcpwcxNB4nopIHYJPwHLfC+4yjEGtxYoNf2YxJSxbGQp/n2Y8N+ZCgUxzM/9EWzUQvE/Vj5BXk0VtAAX72ZaVqkuSzYYWwty74Z+f31ccnzVrv3RGubPhF5GJ7iG9K5Pcjjond/nMaM7U7e8mACXw+cahpGL9xf3m+OKvW7CFdsfMRnFNUnWwuLsVA+1unHQg7Ln/l7zhPV04s0MWWHxoZ9rITEGJn5Reh95IpF109/F4nx2TWOkwmKD0E33x6IHZcTjNz87wxOwkvzvYislDVIu7GnMNYtQngEuddgk253/8vY4eyDGRv241citvZjFqEhNYC6PccLFzGf0OD5JWkDPw6eDsdxf2IkDUzztx8VrnyuRMcZXfAYn5KOlftchFXhsr1ORsLfrTnohlDZ/UNSuDRhIXXA8xwWknY3eukOdKeG0WzYHJoNTsanXcbg444j8DkNyN+Q1taeNKShCzeKeNl6MTrBvPeV0oLjXrzzuMm7qAlf7Lf+sLuYnbK1ovO5S2I2mZphzn2TdWAt+vDpC8Krx9AFG9GSCParPhNRq/Mo1KQ6qkt11GTwTHSfuBSjlm7DqgMulP8AxKemCQencvD1E6sOuCrXFQnXVYHBPVhK8KBJy3KFcmBhTyRngsJL7oYyBz4GwBchsiXsrI2HMHjuOnSj92g7cgHV9UL0mrqC2sRWEechmulH6i4fZHAePS+GYvH2YyZ54HdbTe0x2oITWHavpVQO4j2oPfKllIbnKPkIBftbXLztqMnzIp7dp4QrK3PYeNwbSxTSlPLhLBwmq+HitSihRSjlma2Id7mcFZ7ZlVBYWEx9LZTCOmHIgk2ifFsNny/+DqXP3L686Xf95JQdJ/jyuyr0gyX0nZ/M8vV6XLJ4ryV7Tpo8/yflbb8HXztl2h6VwN72/zrqiSW7TePid+e+Fq7iUop9ra7YZxxGLn/uOonDXv5iDLuRlCIuYt3udAazNx/GIBoLO9BY2IjGwtrdx1EfG4nPuo2hz9PQicbBMcu3Y80hV1IIwultjA3IjEiM4RKZikdnsIGE6QWVJcQgIzGO8rUFXrAbeRx2o0+WUU6QnBLkw9oX75Px2a6/SEuMztDPMqVKORuXgbeX+uiWQOV5dRWOjV9b6I3QZPUGeq/AgwLPauNS03EtNlFcdiduwKUZe0hUnJiVsVaQk6d8PUR5IpcGDL7NN4oGnysxCbgUcQMBlBd2h8OucOKILLPK6KH+fga/e0xSKkKpo7JGxbcUcx1F0gCSRB2fNYX7GdwOeRDn25zjUm4iJSPrvn+nfyJ45YL7UgxpbVzO5b2ScT9AbU9aPxaG0Vh4WTcW8vjDn3kc5H00NZiQWE5BkXD/xJqN6h6TEYndFpSy2Dca413CMcG1bDLZPRILz8RgA5GWc0QaLiakl5jRG2KVfxzeXcbXyKhoYPT9Q9NdsTEwAQUGhzU1aNCgQcODAxMSY4Sl5eLjVWdV95nkJMbILSxGTjkJG2wY8zV/Yia+jbScAvQ5egVPzfEQGpiauyzW5H47cQ23CpSZX4MGDRo03P9QJDFeIDwZnoL/LTmjuM+lRGJ3Cxw7E+SJ8FS03x+MNyjdSpOlPTJ5vkryN8kFzXZeQnhK+Tja1aBBgwYN/0yokJhkrLH5UgKen2V6gJg/s4/DI2Epwnchn9cKLA9JyoJfXCbco9KxLzQZc3yi0eVgMF5edBpVZnjAnq9aYRN8M2b4rD2+udAbFxP+vjNhGjRo0KDh3kCVxCQUY6nfDVSb721CZIIwxLku3jsrJ2FLRF4iZGvE8TrjjnHmtS6j/FDY/5D2uPWSsgWNBg0aNGh4sGCBxCQs9o3BczOt9614L4QPNP/fAm9sv6x8zYEGDRo0aHjwYBWJsUa2ITBe7IPxGTI1q8V7IfpzZB+vOYdj4ebPp2jQoEGDhgcLVpKYhMNXk1Brpa+05GeFe6q7LbzMaE+E+s2GCzh7o+wOaDVo0KBBw/0Fm0iMkZRTgNk+0ag210u4gboXS4yCRMeewiuLvLHuYhyyC7RzYBo0aNDwb4TNJMbILyyGU0QKGm32F+bsf6dWxmlVor+Djl2FRxQvH95dE38NGjRo0PDPRalITI/r6blYfiEWb7PfxHFsSSi5ipITT1mFlw2FpSJpfjXXnMPBaylI58stNWjQoEHDvxplIjEGe7+PuJmDvaFJaLz1omQqb/FSS+tEmPCTpse3TrffGyQu14xKZ/+JmvalQYMGDRrKgcT0YFpJyy3EufhMDDh+BTVW+wnykc58OUlWjbz0qEBuwsKQf5vgJD1LYR6e5YHaGy5gjFsErqbkICNP3QGkBg0aNGj4d6LcSKwExGb5+fnIyssnDS0Xx8JSMN49Ai12B+FDIrYn5nmiogGBVZzuhmrzvVBzjR+6HwrB7DNRcIokjSsjD7conoICvuJAM9zQoEGDBg2m+H9AXFjJ+RujrgAAAABJRU5ErkJggg=="></img></span></div> | |
| <div id="coverPageTitle"> | |
| <h1>Security Configuration Assessment Report</h1> | |
| <h1>for debian-11-basehost-it-master-14177-0</h1> | |
| <ul> | |
| <li>Target IP Address: sto-ccc.gen:104.196.0.176:22</li> | |
| </ul> | |
| </div> | |
| <div id="coverPageSubTitle" style="background:url(data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAA3UAAAC7CAMAAAD12kdLAAADAFBMVEUAAAAxMUIpOkIpMUIAAAAhOjEpMTopOjohQjEZQikhOjopQkIxOkIZSik6MSk6KSkQQjFja1oZ5oQZjOYZtYQZWuYZhFIZ5lIZjLUZtVIZWrUZveYZWoQZvbUZGVIpOik6IRlSzpy1jBkZUlIZ7+YZjIQZ77VCY1q1rd5CKVJ7jFrma1rmKVpKa5TmSlrmCFq1zpzma97m71p7Wu+E795771rmWq2Erd7mrd7mrVp7rVrmGa17Ge/m75zmKd7m7xmE75zmrRl7KZR7rRl77xm1795KWu9KGe9KrVq175xK71pKKZRKrRlK7xl7SpS1jN5KSpTmSt7mzlqEzt57zlqEjN7mjN7mjFrmzpzmCN7mzhmEzpzmjBl7CJR7jBl7zhlKjFpKzlpKCJRKjBlKzhkpITFrSlqEjIwZjCkZvSmtjJwZjAgZvQhCShkIGeYIGYQIGbUpMSlzKVJzaxlKaxlKCFJzCFJzShk6Qkrezs6trbXm7+8ZKTExMTqEra0ZWikZ7ym1a4y1KYwZYwgZ7wi1Soy1CIxSKRl7a4S1axm1KRmUaxmUKRm1Shm1CBmUShmUCBkpGeYZGQgpGYQpGbUQECl7a5yEjK17a87ma4zmKYx7Kc5Ka85KKc61zu97Ss7mSozmCIx7CM5KSs5KCM61zsU6MRlzKRm1a1q1KVrmra1Sra3maynmKSm1a621Ka21a++172tS7+9Sre+1rWu1Ke+17ylS7621rSmUa1qUKVrmjK1SjK3mSinmCCm1Su+1zmtSzu9SjO+1jGu1CO+1zilSCBlzCBm1Slq1CFrmrYxSrYzmawjmKQi1Sq21CK21a86170pS785Src61rUq1Kc617whS74y1rQiUSlqUCFrmjIxSjIzmSgjmCAi1Ss61zkpSzs5SjM61jEq1CM61zgjmzu/m785CSlqtrZSErYwhOkoxOjoZOrUZOuYZOnshQhkQOhkIQhAQEEIpQjEZOkI6ECkAGQgZMUIxEEIIQikIOjEhSjEIOjoAAAghQjrusl4JAAAAAXRSTlMAQObYZgAAgABJREFUeF7svU2vLWmW33UiI6Mdt0I+nJQRAslNXo/SKbeFvwEjzy0GzJCsVl9SKijJoG7VrsrclQMXrWwVllqy3MWgJTOpGsIH8MjfgIERzBASdN0uYXFEH6USZ9aF+P/+/7WeZ5+bVd0M2rTtfO49e0c8r+t9reclYi9336Rv0p9n+vjuP/9//qEufuOfLfp6/PS/+9ndv/c/3N39Nd393l/93+7+6j+5u/t9Xd+9M7X7s6c37+j/X6j05rt3d3/v7r/9xz//j//a3f/yt3721Zn1N+7+2Xf+0X/lYgjxTfom/X9NH9/9Z8upTb9x9/f/o/Pu3f/j4ddLkf7xz//D/+ZtLXrnzd33lh+S8Zv/5H/95Hfv3lnvvnznzTt/9w/f+f4P7+6+q8r75+/efXX37h0fX50Zb95d/++7+jtvP/nRL766+0u/uCm+2784/7766rztohR/8g+/88O7/bd/SL6qp+jdu8sPq/rcW4oA4Lx/1puKPvnsGWyjN2BrWN/cffLDT373NAbb+vknP/ytP4QE+njz3f/+n374jdZ9k95OH+OefuN/PC/f/erXf/bHdyjU733378YpSX5OwTqV5s2bd796980pXb/+n0il9n+x/smv3X1y9+WpcmfxKaQqS3rz7q99ccrql7/zo9M3vVEXZx4l3/1RNOgOmXWiiu91+a3PyUWBaEzxJ//1Fy56Xpz7//OvvHHxF93bXFzVv/uj2+IaXPo1Bns+eMOa3kb1/Yvf+dHvYHVEpbPh3ZdvqH/e/Nbf/8bX/WuZPr57853TD8kNvatg7j/4v+5+79/5p2fB7/8pUdwcqb2juOidN7/1h5/got75k7/8Zv9cCqJ6yqiLs9I7f/lP7u62X6jFefs7/+D0PNudRVKe41u/+IUqWnTlZc7iX5z6KP371hdUPQV3KBxyfIpu9Zj7fzEqPLvn9nMpRd2fnvO//NGswN96u7e6f+fEde7t1MHng7/V+ovC7y1YbSfO/+uXdqdC+KxF/6r7v7/zjdb9q5o+FitxR4//9h/LF2mK9D/9vhzRm7t3P//Wm7vf/Hc/e/Obim1Oqfq1f/9//q79zztv3n33CyShAqxIxjv//L2znsK13/5dDaAIKzYeBdu+lNtAgD9Ha87sr07XdapibP3dX/rybHR2cQrt57L4n1dBuZHT5qvE2XSWEZze2STJUxdpeXqqd970IGcf0/0JsovtzZ4X09t0++7KfSyA7ieIVP1uPUkwVae3qfrfk6cesLm4y7/7D4TnP/8rRl1/wnGHbDR494tvff69VP4m/YVMH//Rz/7oJ9/7yfe///0ffPTjj/7gs8/e++C915fLsqykL9fVl8u6fbm9uup2Wfmn/GNxur9S+8w9lqNz+T4r7tu4198LfZ+V3ddxf93UYdU+qzxc3aDTtq/LtbpR4poW274sFwY/c3eXrsf1/jFX6/V6f5yVzv+CTnnLRV+H7qqFAFLhGIN7d+5bBhjFai2wLhQI7beKl+6c0ql4vehyHuzMWGuwNcUTbMqguhHtAv6OlaoCOIW//def8/mb9C8/ffyzP/reT773fenWjz/66LNTt16/fl2qta2vIrXrsh3rh7q4oBP8l3qE1UjrigDqv67Wy8ny9TgQU/H9/H/dpVkSNKRc6ZTP0rOkfZNkqsJ2UbkUDSFKHZUrY92QfXd1Zp6gRedUkaKzzkUg60qyv1MImMh+jUoXZwdArUzLsQVXV48mQhXT+WpLoqapLqB+RbEAoZ+qftNbOheYXV3N10UUEKUF3lTdxa6+o+ngsKwvRNEmF1iv+lTh64+fS8A36c8tffxH38NtWbfeu9GtdX11qterV9dTRh+25cPLVYZVAnDq2snR9dX9FcVAp850MvD8z/dZAUE5NRTzrHxUBgci6ZB3uUpIyHOS2J+S0Rb9oHy4D7VDh1vK5DuWl09nJ7HrqeZkFV7ToXVSF8o4/xDYOAhDKww2iapaoCuoub7WbQIL1XyJf4klWI/7ewYvy3CcUE21ha3upXC6X+WvFyF2gOVTF3vA+ycaX9YL5U9XikUtiHQ9y9GgE4az/On0zhTT/2nF3BtZsi3BQQ1k+cp2dDq7fC4Z36Q/c5KHQou+/YOff/YRDuoiJ/Q8WXeUtvPfSfZXy/VKjkMpl0rUlRETrSTXEY5tMpKWk1NaLx0lwsX6cuUKZ4rRvpLlvYnXNNzoJv5K96Bw2HGd4lrZAexQoOU+Fum3uzCkEkNGBS+1aFO/NJiyBCeuB95zSsJQ34pU5Y3bZHjkdXlw+aLRVpCp4hcnxB8+NjL7flXxuKe6fDMNdtmOnftU515sUAX0/Tqan+NgNao6YBWwC6q1Qy85OJMUf3tVoP74U7CE8Ic93fn/9XvPRemb9HXpZ6d6/XV8lMO/S6tXor/z40uYoBvxTV4HaTkZ8OK8fpEAJUoh3mEKxeiz3FrmYGtVuDeYavmO1NvfrFdNPRzbqfCUK1vteAjlIR24rkWm3TrpBvS3M7ViNsa9uxdA7ot+VkTF1/k704PcZmRpMYpIX24Fx+7uXCgyyM/JU1A1UApcjV9wxtWOJNknZ33gHsowtHtA83T/woM/XF2cXtCNuToT1C4W2W6LfTv1TvPujSi8i9W7gYMSdE7gQXVhKgNV1HYbF3znx8/l69/sJO+l+dW3f6Dp1Xt/871EgF988cW6vbq+PFXH/ke5igXPspMbZ7o+yMLHO6FzruUv2T1zVVzrmUzzR91Nsp9Sy+SOdrlJFXfGnAnP8ZnJe7rXpeMc2F9tNk/rTp3z0kXpz4lEO0DPSyJ1kS5V1TRPyc5NOcx4XGYlHWIp5KRsYK08HEKqdgpYhYfnWq3jKT/Qdi5UcMHhjPsqXh0HGOypekNFrz37TPHS1b2kY7Bvq7sa98cNozLeIKMkpvPryibipPD64eX7z+Xu35TEHMvu65xifcAMC3/zJW5H+nFGOq8SG5qSezh9XBataSHflkGIvjpoGmZN1D6NNSpXzE06zaCaE85oYnNhlYwSfM08r8nXqayMOJnvs9EOCJsDUE/JojbnJ8XWmnSX5UIlg8VwXXR+Xs8Z1AvLngaJRmC3s5wxOcBopspurPnzS9fTCGvX1LgKNRW07q4aPRUOVFH+hNFi98h37lu18uXimJ4mY9mbI3BXIFygpPol9rBHS++X6E56K5Io2Cb0cDU3BYVz4gfIxApMKtLmvL++uLz+28+l8V/DlEWMH/z8o4/+4L3PXn/ghfdt0yzr1atXyxn2f3jaeZGm9Aut082xbbBkmgJ5ZYCqkqJVhefMIryqaujBWrldiMGDTVVYrrP+PNlbrM8SQUGbrPRjRxEJEii+UFeyC1Znj+D2pE3Lmbn2rGNSK6sF4xHT6u6YgANS1whG5dgqG3eSAPoQdGnKEEWVvgzUAzEXuuiyPt4/1bIMZFofz/9XN008YUqe5fHbn6ZnpqOjuKuHgQpaV8ydVa2qZ9p3reopdlh5foVyme+ZyE7RuUZR90wDyjQs9yfkLI06Z/3sj56L6L/a6WMHiD/4wUd/cMaHWSF8tX6BvVlkrI23P8+/y0msMxw8FfFim+ui86KDRLkrXcdLSIiRiPiGIVGYNkshgZt81uk5HNwxuaM3h0DSSlem9NTk65NFVmPrG0gkeaqvEuzAcILOXLJcxtq+gVk9fwI+cR8frGmgkmaUlsfLpsnSpeZbFh7ZEeppHqpUHlZJzl5FNT+juFq2QhWAhYe9lYlIHbXhaw8VWSEqmE90VNFjurRTi3YpZN2buKM4ENW9Q9O+LYALr3K+N/e2WUqNXxVDdlFK9MaoHSKO5nn0pAZseopZcs8K8U9jYhe4fvrqudj+hUwfS5l+8v0f//GPP/qx1ts/+LqVwkpsHMuyX0Xq/aTD+iDDKtaLWlBJjm61vUVOuUk67ZrJvGH3UhDSewXkNiFKmQaZZRhaGorcXV/GzptDFiVFbARtZnvpnJMGp6+eSF4mhUuMVL6FoVx8GFa34QYZcu0xdi1+BO3WOX2+UJWDoZMrZaDwOBEtL+zi+NLEfsF1mrZpecZglveAKlU8p14eNd6t7VK9c5iHMmpGNAp5yNu5EeBUsVZefG+dc39rc3KDrlNvX9d79yZfaXDcPIR0jwaX0ik5nFBFUUjNtJZ6pr+IS5jWsMy3erp1OqwzFFxeLV57vyCuQoK1wvytEomi2unAxto0Bt0fXjRPNpeHRPCwWHVRrX6r0ORddNABvpz8aQmq2F9VJeAFgNiHFZd1Q1Z3FkdWnWyw/CZlEQCo7RYyXqezI3mZsx4NE7tZ1Sit3jw+eqBcXavgotmH45voJ+31f8cc09idHJnv5XaAuaQzfYvwvSQEQpY5QB/pYB2ovbOIbKNSu4Zoqih4/i+gBkExcF4H1B0f1X0GqvtEHH9acSMQMBtYX4zmt7OKZ701iOt6ve+QZQk2+p7JBs91u4PmCcrr/58XU+TEHBB+9Nnf1IL8cmrXJhW7/qPr8ioLbFlXZ36TIBwWBLNJ7Osi4aGYFruchCqpqyySVRifpK6O3YV2Veffce+lQN0pxoIHFRKl2XbJmsnoLGAd8/ALtF9TKF2gjA8JnsZsYb64be43RcApsh4KlEwU5JJtBy5EkDX4IA1auD/eX2rsYZ8YI133CA+mi8h9GDbwtec+uunpMBQ3cC01RLpsXVorSXRyM4hBj21zugEXhlfO9QEct8vL6zqc4Lo8vZRLKQKzvTi5WVVf9kwHRabrvaAY96o+yDoVK0sRYdjl6toN116pK9uoNlJj0ICsXcSMpREGNS6f/cvUuppzyYdpynVZXr3SbtfCkob2jQ+AIwh+XDAdFktmwFhqQQ1F8BDmr1NFJ4QzyvRHljssJ9JdMS/T7eLdcRbpT8m2GBDQLFsqUXLLNEUlZb5tvorigpkYstb4bBNfvbxswqNmgGaLPx/cuDmvFprvrNpHK1vbOgEhZDQGpz2QOoOzFITV1i6VDAXQPocbZg3TI6CS9jgvlMek7uXTKcXvC9FekIEFBWwHgEr0I6o0Q+hUZi98o3YxRQnXgKGR2po6IrIdRrUYvi+EEp4S+I1Igkkyiqe/9YlaLhapPNPWfijCZLfOrp+mqxYHhATtWgFCe/sSh1UcuCg4lovmXAoSauExTGf5ld6EuamzEFsEBQHTKMepL5/9uZ191sbX95mJffbeZ1YxIWkPcqrY1ZPQYWgAjvgislaz1E77gwgj4jp3LhMyTMOG4UuuBoHiC2OIE/eniesGOik11/bV9SRyiRr5LXjsOU8FTtEeeDoL41Ln8ZJZ3HIKqFhntPK2Kazk3JfGqv2pjZmhFMS9xtpuEoxdp8Yu99rvoAfLGHrAWK2/XgTQdp3JIw9fKVCxCq/qGn/FqjtQFvqipMoQXUhjF1OccabjtMIjpWDxdMUDCWaKblweSR6tVgqFrEzao5VupOf3z26f3QPsuBUKc7EI+6ua5/YIMhcYcttgEfvHzF1VsVrLzPl1e64sf5Z0+qyfnBOvn2sb+YPXrzXQ24nFioSGKwBr3Y9r/V1WVoDsR857JKf1RSWH3INCMKMaBUoFhUeLUWLWdJvC/sjZnGsZmFfQLVPlPXaCLV0rmjhzna8Peyv9XzVfqZ5tbBcXmCER8703xk7ZOFVvnNS3YfXRqoog3abiRJli37twYAjNfHmrwUoirw10TZzckHmXLLJHpI85uHUCIO7xdxolUE3mRSDW+kyWNw+dE6DIhDfJVggpf8Ntgeu76TRo1a7VmtoDq9IxduiMDYWEri9Lu/ChhUzbEBW7O5VcFywIUDNKOR1ooWytU7Hp6JVeLUXSzUFPU3fTHBWhkd6pN42qzUDByAiqEuKXtBkTmY/nGvVWqgO7OqrBSY2cgYKoF+1zCf+TSorur1owlD3V/YM+BACBUgl2IjddyyK2xBZc5rwW95ryUTwluzJ0rjZEXcN8Amvhv2rAlMmjpXbG6aJQZ2UyZACtRau8IBJsG15UlxMc0KiRrrfMqEe3k7CUZ3a+DKHsuuNhLyxrvAW4NZkp8VTgMtofpqWQ2DdNRtProeP8ascdDlE+IsQjKC+L4kTnp8ZdQ0TVgTddKRNUNRwtWpZeYDg7bdPJXyhMKTMCZmUQvQmgriTIacspTe+HRiWLaOqLNUaTkTigCyaEAsugsK5GcTgyFYN0lftiIO8oYiqeMVVKd1C7GDxxl1S2UMd8ED1VbpBN/q/RsVPJdNyQuFB4WcHkqXRiV5rC8Xiuc1ywDDYpC3lk+8OWbTpGHpjDyLBm0IpPeYcFy2VeLc0aXdfSRQ6s09cEg7wkk6uigdKO6VV1kZlehYYytEMeSODLIsQvmSBWAmbtfcmOnCWizqVODq7HS0Fbi2NkBXF1fcgQ0z1kc+ao9izFWy6a7ov1z7nvNNzh5LzFXq/0HKwOnLdZry4yxkbYNajEbU2PXcHe6nVMWXNT4JlfFLs199QFMyNxrw4zN8l8Ac57h8MLiG/SKd8dykcm6T0iMacI7PpwQSS4FrBrBAsS488QQ9FXV3QkkRMEDyp25Aftl5zvSjGgAgnFh2mLjGgkqwoPAJUXJmvMnNW5Wtkk4PwKC+X5Kl+nzkjVdGI+m2DbKYefrK8khacZswY9OE5MO7y/23OU2zQqldHIvrJvm2pzjPyE9v33r3ra64bAZhAUFLRasFLG5DxcrMTuI3/NnU2zAyURG9c0K8sixplc3SFEG7z2nIRWgqDzk4q1twnuVoeSPywBTNSGHx2ouNefKb3cvx+qiTXyUzAeCCDYnoOOB51qAIsYZtNkoRHkQ56b+IkhgPX68vxQUZRMnQwksAPgPcJh82kYUMl4W3sBizgcHd6TvLwz7tOrxypn2SNssxkM8oI7U8NiqW49V8yop/14wDSSWWuUt+JRAdDuoVrIkxB+F5sMt60DFh4DoKZ5vNLaNJO9aN46sfKVevVNNleI2c7hFq8DO8KUNSoxdfAoXk0mGHAxTwAs+YhcIwZGdPUhtmSIFUAgjbCAqD4QQL10XoIw6UmEVJ/2jrUiWI16P0lCVYBo1rK5Bh14LcDBS8ACblYlVSlz3oIgETAjEBMT/c3RDIXycdom4KuEcZ0FulGxOJ5wvJREMFVSLsawGkwK6XbmteGW/tZsJEJwUvPZivyi9W0wpasx+LE+tMK3YjJ3qUXBMXaKqb0e2t11mXr7MNPBBvYgfwoEZKhEiN0Ly0743CVubB4rmBNmLwFYrMognuYjhAV72okb9TSPQxXk7KhN8j5Ns2QMaavGCMEKXF2qWA/zBJlnxWGtJx0ABlSc/pnkgYJuIRwWkfKGsxbKtIG8EgtpnXDEvizsg6nVSqABTMha+k7yg8URjJuyyYCs8gRtMMjPOVAbYCWrYxARlibTgmZZ7UvhoPByrSBDBm+v7V014qq91CChhvD0Ym1YtWwmRLeYXmGoloaKTby0Vs9lQ+go+U7cqocQWpvRTQ5dXTW3HUTwOKNBwXtIPBd1hSWAU/WndNGqYTiTfuxiNlZ/Nm8iFqlWb0aajmoS52DS9qTKotoAbw6KLMHKi2VPlNP3rb+F6DOaUE3kDeFRThAQfFknMS5bvHpTe6sIQT6YK1yp80U8agXTtoeCOsBlDk7BRKyCXd2yw0ixm7s45NdNChrQ6UuGBYmX6hQb52cIezNPBZo5q0MRsBVFBZcPpHUYYundNJBuBQwmKS6FFb2Sl9BKny51cwU5RPkQkKwDq28qjuenxsS5cfJNVekI0kNQ5oesENNKluKlqNxCA1RD+RbHASawWte8grRu9w4HWoRY1imPdiYd10xCBfvOOcu8uiV7qA3ZoCHUP83IruNR5J1yBlk93FrkGiCU1YFFkl3aAKbJPs2qsKFTAE6+OcHlLvS4DU8SuWQWiqSkKrxsGp93j5Ikn7NZRgyi77NmrFUTpyAAgUGyGbTkwnOubxZUSC0xKgTZ8LelifsbdJPlzn5FscoZ9muKtSZpxATfUseR2CpplZ8AsC3QZ/fofMPby7aXz35grSOTMuBgCQoGlJ66NW/QEOqBiiaZozpyGqRdwt7YN2Bxs613oBZ1JsHe6erMqCcxBKPOFTSDVDmjZgwa+mareVeI6fL01O0ooszGX7gwm/JZhzbDs8NycsCt5nqSjgwl1VpN4zQ4PPpK/CrV09mJOLTCpdTKfk15J/5+4riG7eHtJQP1SRKt/gwsJBNa77DLMCVV0DsjXspmhDRbj3K8N0ZNKWRVkh+MpVWiYtO4kkvHJKvyH1y9T/QXUUIWiLvKP9gMIakuVTOkrkFeW+d4IDCqnpmDuaQDxRKtNetvUAFXT/HTPSxTseOb3WujJYz3T269amVyNRHXjp0EwgQDWJ4R5NP1XtmN8iRs5pR9tipP8JLOCerlI46mZCZa9q06QNKgFxSQ/pT+jfgCtVQLrXAu2QjJal1VHvAVH5N1K925iX6tD9d6fjgggeehjxfjXOyEOoiuWipcy3Fc0rYeGnmpU/3VtGInIIkMTZqasIPyY+wEyPjvtSgQwATu+WcyuFxOX0Vqan9mGruTAFtRjgawlNGVeusokzFCUd35KmfbG6pBSZ/xHCWLx5JtlNsV1qVwbCIuHiaUEv+qK7H+0BtHelaoPDydqxQ3jalkPSvEXlqvvaKqC5113UCTFfzOvuOalBhgPAzX2CU5lkA7Nl5lIh6lxElj6G/1WuZE+ZtiGF9mESqQBvUr7wxLWA82xUQR9I4uyDP/hgAJuAp/0ls88+sf/Kx8nenVImlEiRhgcroSqDJuHqbaLMapY72RfLag+gx3L0V39XJ4gBjWHn/LzLi8GXlqVCGZITR8crIMMuoqje2ewD8dYhfwQaVJ7k/8bvRxZ65zE000JWS2u3OtsB1hVurCBGVm/oRcZSzYRKe2UIa+l/7CLCrdYDQndcMFpBeVvRN4XuVVO+pLfntV5TXEKqUaDp269gYZDLAfzHYZGFNABL9yIFVpaAILcR3hln82FkaLZ0eNcjCkxVh75aMwFVsGLLF91h0sHnBL6kV+rS6tl5faBfFYqmt6TDIm5HU3h7k3Iphi75AvvA0MoOSxe7K0eoVtoXuhUl0UJdKG+EJWgdvbwElNLtI5aZ0LCiQ0uIjjLKZ2RYvSRaWyBJViv7RRD6UF7PX+sa36Gg9jQ1NIW1zTy7MltpPQ0Lsa6aEwSbIw54tviY1HNHNoHIbpS+wKGsOaA6jH3scOkqKWx8EgqsD0yPFMaF0F3KShed5upxJPf0XqxTOYPLWblYsyGSeREnxCHNrKldV8X/exDJn3WSqsLwUj29g5oEwW9DU2Vx4O1zCGYBXpRFwZvRgbG0S1ES/dlqeTWl5CZ2EON1SfkW4Js4YrwsJNey7M6k/DxUiDkAJKlX2njJYWczbntMkRUWINVRF4YLupqPWSLiaL4kUKRs6SgSCLv1W4t1QauUwJQyOFJjJ6nbHIz1UX+to7WFm/em2tU+xjbQEmtbsVfH2nOCvbyfeipMPgk/FrBfkjnebXHga/KVhkPY4PF49hAQIDXYg4oYlNdIWK6WpAVOgrRRecLBCLqpsii/oyykfsi07QbNMCa9sQwMljwxwAAZwif3o2zERUzlCNqw6YN/o8RZcZ4kSSDM64TWHhbE4qM7W1+EfvdgEhyhDEfvXASEWEzU8jFE01i3HkZoJMPiXtNLjO3o+9NPMawGb4JWwpzbWEr3cXa4BlyJ5B3r1VZrNjqm0csEkVFrXbjV4k+o+8Kk9P58a3qc0Lr9eU6wIBxiV6rsSVbJH4K7ZogcDFCJCGP4vNfvnVy/2rtD6L7IAPXQudnSMyLq00HVmRceg1TB2SJuiIhKDNQTtJPb3+yFoX/9yu0N8xeqvPD7opC8GwBmzJgahFM3n8HR10PgQv/pZhAFoGOaKNzh8hG7xOLKkuJgufUnkPGcg2XDaUMiAPVw0Pi+FLaMToEKVTdTjKbwqmC2zxQl2YZTFu2z+SZNcDVa58M2c90h6GUrLaGeSBbjKcqCW81wa/rE/4GcglXBqyjc4M+LBEi7vUyehVCwEjmih4SpAmdHR80RfLWKzEqCU0LOlzsMpukm2BZNFGs5o19Jai6mynr4vO3xxZEmi3P4gKsC2cw5u4pNjCUweuVUQoKpWrs0qMDvydaZmwPEv08hpJ51ru38nAKeOsfP8+L0BzLVKHckKtpVg0JB8tyFOVSz1cRyWeNZLuu5MAzGel8y4OBIW6seMCoAz1bSuIQG1dNL+z+Fdp37Ne59xCInYmt6ibLytDZTpJ/WxMJbA3GfTQlQyXLLRIz5Nr26Z3ImIYpFSqpw+miVoajKIxdeBSMjGg1oQibFjZ5nqhZ7WmsTf2+R6To67EfWkJtAjEebeAgIPocW5uczLl1TCt08FIZVnCh8OGdGev9dArWfK6puI5rOc+9D1Ixpc2miru09T5hb0D8udcRSkIF5qFUV0vvddqtoIj4AmMgtsIdYiVQH4Qz2JfMCPeWg4AnsQVWgoW9R9FJ3muYjfc3DSx66ThL6CrajnQm7FZxlUTmevyvyo2vRVhLE+nm9WTKE+4C0Dr+IB+hgFQi6OQd08iLPl5IF8sUK5n3LrNtM77dY/9QLA7idngUSub1HKUFAyLI9ANdOe7raxFlhzIVeR2iTCSJB4q9m15UcVDswvxewsa71i14uOwp6wIgmMHmbSKnjuxiCmizz2q/8iIANV/jP/l6sdRFsLForXHUflBPzb19oGqWhC5/qH/WIqzgLcmk7CVlk61MW0vxFqZUZr8gIY5u6jXk6CbA+2Cfk0oYbPbuR03xGLHCfUrw7qWkPVQbj0E+vx+0BuP76+XL6Mozm3OLC85JNoM6JL1jOmepFf2YF2fMv2BC/leq6jH+GNzyV7zMNxCHyVvi+MODcq4aS6nwtoqsjLqAlNuEbXr/by8oav0XM9XGsAJZGDVXzscBhBQtx0NNXiWD561Su0t8jOlkkcvlhwCtyBJDckbS1MC4JCNaqXxwtOhlVwbQ8NJn2REl6ujiEmSuO9VvxsTfARJDbfL/8Z+PE8rrjOpwGGwor9dQh3X3GVP0xEybuEGP8zUrjUSuQaNfqz398v+/ktYQSt7FQH1vt/7zVuQlNcc99cwktpuKscw03jx4CaWTitTDG3iolTqCcMiawBAymc6MaaSKl3wbH4IG1rSkylRDt2J3KIU0i4j36p6jLkQNCCVmAXqE4xD/N6ND0xn0iVjtBLL9rrmAgdiVwMxhxfBLuQgX6BH90IXsJVzAmqRCVEgVcvcNi1EFuEOS/RnS1YTpJV11RSjqy096mzXE4RaHDoyQvpN0GCSkrAVk5UEvpQdzJG8SB0QZWdffxatMzodHn3oc/TGTMxZGamUHXJ42iSyoBZkh/7rdFosNq10QrtMkxlRA41cAw/QNVytbzGAVTTFfkcVAEdN0uzR702pAcBq8Q5WwpgpWOh65GiUDy/dF0nXII6FOPxuBNfQsuxJEF6BnFkSwy8cFARktm8pS1C8PogBYbAbncEcBmyxkYbVqfwMztVrpfTcQBqZzHod/rmZot/UGfRB4mSg6BCiOCrwcw0qXPyauxfgrIFjVVuUVrDUzJm7CciqdEYTUt7z78qrsbjjyWwqqUP4ftMUEDfc1sDOWux9MkjA9m3GzIsqFoHnECdUqpCJBE1M/onZY+iWYmw+TtO1siY8Amh6dpbLPbAhxzETvofKJbA1Kr1xvX7AwRRFmKoPlfkLXsFEmGvOlxBs0KTZqlFiBZLh/vF0qwwsVW/EwP8HAVZNZekaaaia0UcPaorks2qEaDOvAk0sYuA+JWCP1TFbNgLN1TuxqiLz3H1HaoPac9T3OE0tyYZPIbJHpMp22Tj3T8piSqUILUsTU3aCS9t73dusnhJhSZq6MGeoPWTfy64bwReGYhm0s6cFvs4lnd3EPk4D6AXmxgw9X2TRZcRmJNRGEKuaJsqgnYVdaEilakHlulElzpBeGumZgVLVOPGN1cYR4YsbjTv+s5YsXOarZ0hmwSRdItijkymdZvT6lOmDbvmu1UCz4iSs3y2mMvpDFPJADS7WeaqJvpcY0uXZSZTuLsOcfQDdOCvptBo+mWMmhSEdnjlYNrISbdXHbobzmiRd9NJXwTkZIoEywn6BkHGxjnGP6VklMKDE1+9xaM7QCpcaFvDJaKJQQF6a0nAhoICEEZ8xaTSVJpIE2in61r8CbDACh2P07M8yf2OUGtLnbGwP6JD2juTdfSUvQih37dcW7cx8QDJDzMk9XDwpCLZqGbxFSyMZVA83SS8HbkvJo5D0ck8sQXk7KorBnMMwepnAcMZ8saAOyLw+YCPpzSSyIdiIetwgdlowU5/HfZSaUoVMdkQpUQQUDJdJTvwitp7vhlyyJelNj1hpAdPZYtbuMKK6epZaksvit1uZhGWs/Umml/mlfECgmPcQ2BgrJlqyHVJf4DBWtmxnaduVeF7RlpeKVlqZDm3X++2ibJXbDHrqJhVKTem8urPrNo1SIKM0z2wrNTJt3KaISj20DIoAWtS2/3De0HyhSI4wt/sVFgcPrbq+DEYANxNsWNRs82ry08saTFQT3znRJwZauYxCDKgGFz8HiIUCadPWS2mMAIAyqUIuC23qw5mlKMi60cCHULcDalMnnA8LSNJCd1eD5nn903xdHLopsSllz160twQw9GDDuErkUAIoAvSdv2pYSFxzTi09QuGLcqDw4h/Qa55PQlZk8kdqFC/6cqTcb34ZVN2aaim5ipKO0xZgbO5ZWKB7rQp4AcBNYUu/EhrSFGDRbBXXbt2pdYHTrROL3CQIFGvchgvpI6sjhzM5hFfGiiebz/bXVG0oKrRJ9qRfirDHJViTdf7nZO6Zn0ezERtPCKyk3rOzcHs0tRZQhh4hs9cPmoxUVB6YoDj0s+aZvCHD+m49N4u8vTmy+A4ZFoFbS8TFJsoOVlz1L3iONNayTC4XJoALxYpRBrvrd4vT5kFhDAacED5GWMTyyZTInNqUmQ7gdBMmm5D67oOY6kRqUoUCxwLBoGlmExapEjgfrvN8Q+qlx5wxRZ0rMRwG3enQf2NMOFQ6d30Z87ZE0Ke53aEJb612b4A3SyQm0am+DQPM4rSr+mSkG5CFbQO2xNiQbSymlYiehKj+f/qT0rpFhBTeQCdlgIa7/fPSKwBK+mkwdN78chZfCrID2C5PPTBPMui0m5Z6gm3NXWzdmM+/uFrwDiFCraeXdog99BC0mr466dr073E4KDhssrrkRvxox5M+9LqtmiU114OOvBu+uQD3SmEIi/bYdh/Mebxt8Cmly2AtkKgrjzqIgUs2A5RwnjYsG68GWseRGgHEcgEfbpB7ywlrAEGshYs0KDgI2FbI1HfRmCqZCuY98B4TOWtCShsNGmcxDiuJqRVHrfrTlFrtFZ9JXtxjVoYGL+i3RHIoVyeta0PkwdrBqA5Jq0k37ACOnOHEKokaXDRNHGFIIE1LKK0MTy4dXyGui47lKgBCcx/0Zpmm8zFeynfLEZWZdH2zQEZ9DSBArRSLW5GwmskUmWSoGWEDFSsaUeUsqgwFnIxHE+jQauFyf8+jThLn2DN+t2pBLlc2hoSk+FomMjCPH1JzdXpB6yeH6nxEuwZOGV2pB0m8X4lVp2kkK+N9dsdEtjN+Mbbug0/7Mk+Fz260MjdKH55QrF1z9d1Zb1kR5fG/I4bCk1XyQbyiJ73oEwFRJrFHQVb1TTxboc72uomRqf4KMtCY3kYKax0XJqFXaTaoz70sHJvrLh17FQa06oq2lqGJDA4I6H3PGyyqQEkuwjA8I53RCBbcQZoI4qSumLd+EY5NCLM9F5sloFxV6Ih8AaXMouAlT8xoBIOlcXrf4PR1L4qCwWsbT2Sytpxe4x7OXJ8wDxCFY+LeTAQ9yo04YMmdO2+RRFJjwtW6A4UEALG4MpB55oCfYIx5ujFS4qv+1ESECMVET0w3vdCopJGzG3Q/9xJLNnjm0mhl40HmIeMmXfAzGvWOCOcXwKN3dZpIwF52vPagaYUICy4oqoziQtUorKf3WFLldsFVB5y50G/kVK0Tb5nixcQe9NCfxwHn+khRIBg0JUW3UrKLZdTfpBYlCYxDQlVW8LgIF2N+XMeJQmImmiiBpTolntAWt36seEpmyIua1JU6o7FhlrrIgykmGgDggfABO7LByxZbVK0OhWs6UtOU39wwSKsBadLl4YVPoF7/raF1laIJeI+EJx545cQQLO/hhYBvWjRGwv24P40pbERl2jd41Dmz5Rm8zSAerloqUzi+ROUA2o6Cptkpn+hwwoqPOJtrLStnU/JT1M0JquJuSikGlVOmDEdyJ1C8oHatSPlmYXfEs2PfqCB1aiO+eAsMvSMSNV1oXyIgmHJ+c7T07x5Q8QRCI1aXeX6tuikAMJjCzaBKgJ19aCRmaULMI1/q4bq1ngAfeGjqjFnrWVRPYQ8slYTUciGdpZuZOlilSkypjZUfCpTRLrkAGoG3KiIxTUOQqjAoBR20SJOFyFrmrkTsgm5NsjhF37ZeGk3HvQTWbVWnKdy/SVJivbtY3bnV9V7UcPxQrJP27gwIPi/stZiTCIjX01ufgcsivWt6dbRFDWdCAwO/1MKfxQwodS9KmyfxiS13gMQSGLeYQd1RK+qldrtFJWIvznfYUiJkn76I5JbfiWrCbSmgFhaiNJnw+Le2aExXJAKr+x9+xH17NI/gxpHrQCVbQf+0K5LISDah5nfwk9oCLET/rN7PNUKhfp7BswnxxOW1drHUgHSnR7O9ZJGyTqE5UC0uRxyCfqZpRUcBPH78m21ajbgyzNuzJOrotwBCOCmnHUehUQXT0VDdLriacVi/n96wyCMSaolZ8UQEAfXqz9yVKc/2AH4riKyRmGLo0gWXq3ae6cP9HCChfls/9WGY6Kc6E7mqN2AbrFR6C65kUzW52/TWZwFx0wFpcHdY2l63QauX4GK9qS6U3UZEVkkNa3/1mA9NHJMDoX7dlQElXYKP6tKNVykB67ah326lqnyGKLBMKY9XFqYMkWFEmugvXpoiVpFT2dydUphoyPyXxVXSjcXUWVb1yZ4ShOxAgowOFjhrGUfR4DW8NVOSRbeOmRvdE0IKSVU185PBfzZ2IgEny4tYX8t60zjiaQehYbQZzHBM42RBeL03bcZ0c/GyYfrNy8ssJRYHUdit0ojJuEErAVueETxwqv6uFQ2kSrl1vHxZX3KZHociQ/gVym+CV6GVdCnGE+R6QHTBKNYIN4DMK8vxTg4g+GDwCHXhrcRoDDG0jnhCVk+FqiQ/pG4f/etqPQ6kUskgsEESgDbDocrydXRzxD5RIykGNwWUOFTQhdygGOWyx5e+qGHcUHI6vMB68MKVhU1P58l5qCRt1Tu/z1IsJF/jSY6467xDHZYk2M13QKFKt4JPdfsztJ0+u3CZKLeJ9cAJCPoiUHAIQHRbLRlUpQjz5ElVrkonNgWTkkS4qQnytzA0TGKwgwYLiik/7cjRjSpbIwrNYhg/F+EViM6fggqvapdlmswtt+rNdO0F1jJGKtMF5JWK6uvxPtZw9NQGVUDjnDJ2K3DDkpTY4SaHPyyWqWEbY9qKuOlLkTjdaRwbON018LnI7cEFD0mAUwCZ3vpc7ZS7FMitqdNqFZA418+PnJk3aFQbZMsGjChMu0UC4rjm2SSNcXOKC2MhC6qGiyU7tsgVAo+MdBpkGNHIVeJutEQRscLgFcLtoMmbLJGrqKqeb8BHSCerDvQgUp0EZ5+cpooeRfZMKMvBL9ZJ9eLV7dBl0GnZX/rN57ep+C6LXg5uKm7NJTMjLQIgfCqhmCIi6Btwdl8YuQpw041vpXf61twyo8Es0SbhIENxRftJhpznXAxF7S5iDXQtkSwSuHD4lUCqw6FN8ehiM7N6cX02SoEasjm/EPRMVJJfZsmbcLjqPOzRjFS4/LQ+6feMnS1hCjWdfJwmGmKaYD6hex6wAQGP30i60eG3Ppevo9yq3GZCgj/aLRrlfX4DBoCnbN/wzPIiNrpJT0XaCsMArrOLkFwQE3sjI8d25SQ/7ZW547METk5GvGh7GpZBoHHcoOEAfZ02EJ3TwssjR2iWpcD4mfQqZgUo1zKsuJD26LTaeXiJBs4h9OJySVtv7E9JXRdTLFUwV/9gmGCxzqlMmeFybYjamep/1nKQ4eHschHIIQ7+c5SRlZxF6NDvJutYsOq9KUvsVljoDk1dl5Z8BFF3GaNvF0Ux9WePW4/AFgBiVQ8haqhyxTgZ/cjzfXQFIQZbu2fLA7dFvimVhRlU6Hhe0MsYQFkea9Dd7VMT6T6NO/7qZFD0ITTKXQqdYmY/5iNf17XD34iCk6iHV7PjMJulCGiDbsqzVChLJhfpA3JZYEokUbxahaKaPo6alsQpTQVdMUvE9RM5JkQNRHzwoHiZIvINMbgNa8GFsW0JWurkueX+pmhMJJLqeSxR1CNMhRXsd8LToWZL9QqVHN+J6T0R0cVhwTwagl3ul4Avi99BiAYZB5NoJkV/GZEkEcqrNEsREOEaYQ1F9FHzU/1sVbFrqbyg0hnRjNj/WKQcOK1aQUw3qga1oo+ux75BOqracSim7Zj/N00zoHNWgDIFb0ZbveR9FsdfqZUpbBmGohIblW1wqIgmgCS5rj2zt8WIqkixjLnZ2qCWubBBVb+X9348+Tr9wpoquGMH8749RXhgMTmDm1hLhOWoK8OqUii2MvIU8HJhexZbkGqMnPuVlbQlYqQK+ewoBsBUM1AoH88cZRkp1m1k7lB/mw/Ag8JYYnWa1gYEXhWpv/qxnWdloCHaz7jA8EaANHTOci+s/D5MgRTfOwllsgC58jVWmOFeM+HECZ7z2QuvrcuAh7L8ngQDy2rkmetpnbuDLptFs0M2WgMPdmhwqj8Djxlh/0CG8pasDboRzOkipV6nlYi4w9KGUCEV8/mYSIeqwxoVVof8FLjqvhZICw23CO1rLqZPZ+3jpTEB0sZIN8IRXyAaE4Z4Cw0BHjrmRspbS8Y66+Sv8m9+pFWFterYq1/MVoBZj4yVKqMx9OdJUrEeUNkSiLB6S7+JiYDpzpQO0xLDYhnVU70jXglZ5clHefxaj4ssifoyyYrYCbgyTl7RH+ecYYQSL60PbCGrEsZ8MAbMGwSK9NhCg1f0twyBCvl+9KufOOGtbEhwD8XypXxHdR6XAyJA+tCYl2Gf4JqTQNQrUISILVwZAbHOLtMEEbkKG0VNbJfdisnS8tt0obNPr8ZxWV6+z6mgJI0qXVUz1zcQsW70hqhEmqyrtvXscGWU8rgxDYOSA22KPHQVefBqkI9HFVFaulsY+RZ6cYUqZ+5VbFSOa7uMeWB2MDlSXOCk7pF33y1g4w498m1FXxW4i54oO0Otn388tC7GArVcVbcbTScIb5PgsaM5rEnT0lVP7SwB0uCLFMgvw/AEWTI50W/UVioqVqqbfPfvq1X2Sn/DBZkbGUb63pJmEXH2Mtllzd0vxeOZD1Nyr1ya2hImGgwOQgWxJV3np2MBOBTiQwOhlr6v6nt+vkXJXosKEumDiKKmRtjG1Ftk7rQyoBabdtjcy1AvKzv1yRRHHnWmzsAuwLO6hgYARI44Hx1YYRvVWPalJGQofJqptwpAdhGZhVqZiJ3owk4idJaMG43MTw/2MIGDpYOiYcVVluyDN1QiLSHhcv1U55+t0UbI3fXqbSEVaEMaAA4/3jryP+oH6EbMiWXxTJHSrRIZIvBYgUGvuHivHzi406+LQGTSZM8XK3och1jgLlwmaCDykmeEljiyBl6amZt8iQsKQkwJdbzpwZY97MKkaWyN6583tQZbaCx8QRNBfiCYGAS76gfAV621uL+AKuDaH7ZqLXlx/aEfkKWbzvdTgDhCPDY0CCfpDTmOefNHvx2Xew02JLYqhXgNQBINqoaHQeJUOYeIu8DXOw9pV0e0lMvXOjEHm6qJYxazjbqSmwFUkmucVpwBrORO2gAr6XdeYYxAkFaHmRWfH0b+JrUZp6cwP0wTHUvcLLLVeIQheOxYJuUY4XRQFr5eMNAp/YhLUVfdFvG1dOAkFSZHPZkEfdB5YpbwXJ/0gl/BRb2GSAGSlmqtnI0Ak2DTRbBeXvtV60leEjwiFE5n6M8PDfS9PjIVI8AF1BrAVTD+J4ZHVQQITB4hfyHAlGrbX/WLhEnjAQy1cnsj7oIhrE1PpEg/My5JgTMt+10rLDUtHrBXJXv2VptuVv3aNkzLMDWzcFobXb6qSJ3aGijBW5maPHW66lFyrWAytssKG7tJr9Ups2Rh4OYLZex+ZDs18juOUcEsVm9evTZ4VZquxlV6KTmUexjLWW55fbi+FPuU49+vW3UXftKPgyZdWi1sJZQsFrxrjh5F592BFFUl14ZbrZnJNs/XYeuZR1gcZDWGPhOwYSNMNjXQt0J7g/bT2gBNnH3RDq97ZSwTa977KCLt8sktGGXG/SUIVi3SnyydLMpa1nj2gS52ENB1941XMbz+8RRgZl6X8lh3pVX+hpUWupA5pSNGyZEZHIJEbfgKzJCF+dV9mxSXjANRF1OMX0cZWNK/9KcASn7Jlu0H4Y/pyg5b8UtZTOziTVtAbcDVieA0zbVMzrgXTzvhXzHTzVSGNteE0ks2do3L+9enCoyavvAMyGgXuHKYJgls6SxNVMrBGVdRS17YXHNtJQgAxTsHoi9DWhHMulF9A0eO8Lup6urjU/XjEtwrmChLwOVQVryYH8tWpcBX9Z1TK5+iEwU3BqEgK0i1fVZgjWkoqaRCTRvtSjZUZcs9EEDF5K3X+0cT6FhPgAXz6AMOJo19MEuGZIFDB2A0LAs1hEmg9Ci3RfTsexPQ9s23l0s/R26ts8EtjYjo9epAUFqyQKJqjD6ZivX+epWLFYSs9ERCjrbe3tlXW3XteOFkx2k99Fabyr0Ew6fTza5588+t4emLmKouPEpsUjro6vt8q3cr4PWqeKFpusZKk0KpYUk0ea6xHn08sU2cmfDCU/2h4MpctdgO/dS2CVk8rX0Q6rogUpQZvZYe6RLCi2CmuUgJXYrpykhHi98t6tuCsgmjLrQtF3htHVu7V0mqDo8aXMtFFXosesqmTKeEg61egjKkHnWUpfsOekYptblzL/YVIqWzD36+9yELNcX1wpgaK/cRSRlH9bB7IppUQakaRK/sSOmSn3gfOAqXsFF3hUxlnd0/3ad6Hi1P5IE93zX4oJHI853Ppn0D9utKwQJWDXZ4pFX7hZScXvjmSImBE81mCkQnMY/qQh6afhL6LnQSYa9OztxX9+lb3tLyKMtLH77RCkCWKZMY33LPEJ/KadCdpg7g47olPGsvU69PssKZTBzKyAOWLifnomNlgAveoWSIslbE1CQRGXggUHXWBhMEOOSjPiIyxko/QuQHNEq41TKiyyCuzpCpoFFUpYXCJ3dV/0IExn8pDe+usK8Bs/RQHSllXGgoeIJ86F9Qxal4uS1Zilw0X759Gc7AA8mGNEiAddjJTiO0MMDU7wrL6Og2t5JGRpoAXCapn2xVQ2e6qh3OzrGvMICSDNCmNeShTB+U9xPjg8eADvWBXoRRYREy1fg+DVsfQvvg5/0cuVKtsS2q0EYckTm0ZHHa240zwXLMdKEPP/vVhPTJgcKgg7sKgnysrOrWhZKVgECTC5hf9DMZrPKTlXHS+OqTSoT/07zOtg98FKBCH0W1FBajbtJa4QrXatEj1ocpKfnV2C7tEEex+ASdW2hR7gRq/Hgv5Z66CPiZR5gIg2r3Q6Em5Bqq5jcukeQYpz6Y1FDSi79Nh1EAb0sVILQruTBVeRsmVxOELnupybPbKeBUm+u/5XLpu+rGoYw4KJlP2gtfC3fl2dnsdbzdhMRvhDgdK8noKWaY9KejBRUX2zMRAD9ric1p11SdXauqeUT07OqQ7fC4T5kWdtS33LZdc4jnvKrfARxALAbTX8mvUoF7GS8qstaNcktxPVpQ5Kntl6VDe3+aAbIgkEg3TVPuVHMSQzNx9V4eoVhW2GAGS56Z8yBEhx69w/fUPteRkOyFXu+QTsXlgyKPV0dTTvd88xg5ao2FAhkj4A/NRArMQ78e2CAbYu3MREAT7eVvmnu4WOVoJQBPqAtucJk1It0/8GyDOE1RAa2uJ+2Bd2M4jPZsp1VH8uhBVNltM0/nTUotjEyQs3iJbQu8m2MRDEheuwXFVKpC2MOgp0cnoMJK3/iBZbxHx3JkZZSAC0uJK3JZjU4s9JP2qtR5dHDR0UAN6LxnSTiVg8asdbWKqluImWkiJZCmYiFXxtqHjHuJa+amstgmmxBnjcIiKsD2XrIEFPdg/NSjFgMYJCV/59v1JkyneNwyfEg8XxpF6MAcTXt8vWrSZFs7CDKdzRTvc2pX5YhKLRU02xtTczyZCajye3DpPqyE89Qil4JMYIpZ4yixSFLXKs32hruqKsxMXUt99lHjRZ365Sm6LA9vimRVBiCqyhFrO5ME+0OctyyfppqKuysq+jkV9zmA02bQ6gyi94aLb7kVE0MrmntC5sGKBmsZ55OivmjiEBcors8u0ze4HPlfXYUWmouIaMiBS0L9wshorC1GkV/pfqKy1lEZJ6HZ4JLME+RD4MtF4llfaIUVOx3qdDegDx6it7uz6jVQluEhdHyj6k9scR6Gd2XpFGBr4c9D9fqLej/6eD2o+FpcWPXjvB3H16hqsV7e+8FNgMk7wsyDHLhYyuiwWnUABrGaKBhkzyu95rcgVNsbW5wSneBeYya6W/r0CZjDb/OzDTWn22x4cSK9LYVimvuZKRsclVbXbfRsowYJWqaFTyJg6gkngaqhpfSZJcK1Wq/S1xjeOgK2W63GeT/cVHTMolTQVlnQcQKyGN7K6gZzATNIydJFB536/Ycv69XAAV4yt+W8rHJCERtd9erRxycUdm9wTg1cmojYgKgwXmWwNyQMx0cworFMevenYg9RouXPHooaJq+QqCy7J8g8aNKpY4kMoVIsLnJuhlTIopnzmTD72qg/eaMXJUUkFdjxrY8hvsrRDtBkEQ7th67Bpt2svlQp1aSdJ5me7r3YnsMpqnejcneKMPNIGpaoCBlEb7GtBM8uE+HDY6ZvF+ZTgg3Ich5s2CZqTjKsvrpAtKqQERraWhk0MrK2OlEo0tCGjYxcrswFXDflPSpmLCKcHlKSObBBvjGq6TjCVgVOKMrurXuVyQNObyYWMF7+1D6ZYyc6A652u9YkPoSH2lFrm55DX0RUAg4V7IdmKv5dAau7QDaaTZFmlLpmKPk0FwvbTFnk6cjshUxlUrTUabCOivTGOKPq4okeXaduKTWBgxs0wV50La7wf2JLjqWcEw1OA1+ZO+D30kmESIjYQRtB9YGywnt6JDfSOoEJ0bN3UTbFoeiwy1uZ15FubgAS+ccHnJ3I/uENvWNER/VTPp0k59NC18HPibXkP/jdIYf0wZYlah6ojmGVY1UL9XyAcWO9SDAabUfBEtRskl9/KgcowF2BJtPCh/HFnhgEIu8bxWgxL5PrVC4ACLU0OYRE+OdlznufMG6QllgPXVzvLSd6DRjz0BAj+4iF4l4hQYlF5bYBVhflgrjhE9tak5xO6tN0ENo6fVKOWABRVaxRvgY4s61AnmMXeShHJtSw32BlGpIbPJRMcPOYZ9AlUwlBZaIbD4sk44gjWPrmlmTaIYEJoiamiGpY4i4+UprHVToYUlLHir7eLiGZwgZDn5AZgDN+M5JPuI1IyIILrreIzFwMQbfnUd5U6dDeWGSC6iLKok7nngA0fK+Ps/Z8GIy0xDsnbd6kV28ONULFGyCdRGEX+uXvSmJynYw13Tp/kaTVVh0fmOxU2AgWQUM7deKh6WdMxb7oHNXJNbXJXjWtr5VtvZyaWmInm1yrowOKK2zAObq3cQrH+YkQYW0hJthNDU+2PRtLOgb1izNDIPAc+gqnhyuyZwGeSVxVxYdi230vQ4rOFME4hQiETeRxQLEpzKd6SI7n4w1YKKw2HZB6KUVAgcYYXsmc6eWIIiPEYYZEEtAcknLqB58r5hEANZrO40HGLS/SEViLDeruxUpLhhLcSu9NjMInyaRwAw2Y9c0izZxM+d4RTjcEDaxdRKcAILLoDC6pjpXGBEO0DvlzovSrBAKXt1wdz9eJG6Xbq+aOaH2hI/RlRGTz5BbUfTSEMg+15hiCWvnxM1zupn1Z4Z/eYrV6xR1tCIfG6YTar+MzJDZTzoE97aBRWobWrm+HxuHU5niJSOpjt1zi6D3vWF8To2UupAaqVmDJRdT7MElItbUeoDLMQHbhx1pzLUOb04UH7TyIuB80RNXmXA9UWpo5qPMdxRQ+Y9ODGZGRK/7V96LFA6/J6kdJAwjd3NRPqnEy+ECpJaIkWXk8djp0Tammey2p9RVysj+jnNSj68m4zLeRxhsVU7NXeuegjJoExsDos4mY0xbGRrpHlwVAVUoFSrRY1fI44qxSPbRRDZ8Bii26v2YOrKU9fWY1ND9GPqVArCrLDFLl5XGFgkSbbzIHjQqV9IN8QxecbjiQLLreYrxmPipqais86dx4Dg4Jz3V8wDS84Bp+SFanyAVbt/unanRj84Yz0fi3/KqnkotDgFfVy474PhJM+zKdPAqSqP+YqCEgYxnmfAmyRlJPqNdZQWMADx6sHDCVdXLwpbJlHzOi6NvkYhT9MYDs38L0ZNXndTw90A1WLDS0/JRTmEoiuv7s53WU1di4xaH5YM8wDAWBwlZWjpxdy365WobO+WNEHiaqPvWCN5fqSyMLfxFl49qEB+CJm0bUyiXHgLwwirncJE/t3HsCVQai0FCNnDlBpkJ8mKC61IcmUMypz5CEV84/lq/eCjD93hRWhAN49PrKT2COxksvYXjiV8y2RPTaqvrQnMiNUKazit7MRIVWaccZ9ERdDOPQ+Zqp1I2/5TkaGlKWs3yz+x2lxU9Pk0PPQiVo6tBJCsxNDL5DVHn+2WozOh/N7gGEMKBIi2XuSiYV+oiOTXr4FxKvs+wxuFPzs9LOouTmPjes1RCzoviS/UQbDI4A0WPpRwF7Q39WJ+rFuZSW86uUuTt8egusi3MMwa6fcUg0NZKMTlNRwUTaLKHE5I9uTAo5a9lNEWifwDLxu8y7I/WbPjOMKa+WahAL0fTITzDU7c6LWaFvqpRIqDSVTCXfYZBXtqlrol8vJFC1OoM6vxus0rzD+HbSATh60eKP1yM9AzG/gFHGiS8zv9IQ1hGwObGOZ9B5J6i6uyGYe2HVrk8FC4rzWz8mYecxWvi4lni3um2vCEbKNP8RHmQObtNNyQW5Ol5Xyz0eo0U7eqdb2uyemE/Zc4IX+qYfVrNUBVyOXhPrCbXGmivoF+Hq0bJnslS1JA4Y8XqHMvUGchJ6M2UFYnBJ/Mw2eT+tD3/cWhNNGfeJLiQaasNMZUZfbSMVTvatKtVhXNFGjUpeuNTHmKWpjghhWdDsxR/+oVcdWxFQIRWEpKXk2zuV6Sbd6Up+lk4RRg1uzqO4gTTQGEF/9i8yqEhrDaac85A80YyZyASRvnLt1E3OoGHEpmfz5zrHzoEKxBdhD/U1EPSglam1TAtJIExhEX0aA4PCEiD13Uizp5uVqN7TqCDIjcci0OGVwqV6YD6pYNjgQFMBm1mvl59wzzM9lzgHRtKrv3Szy6hdyg25ECLo1QfrVus2nQrurV4ftgSKTjYEtgaaMkVTYirUgGhP3+WrLCY8F3Yr4a6tj4ZQFwiOHptq7LiSaFvE1JRKKt5lzxLwTAIwHaOlxc3YGax+N0kl09RsIlalWr1KWB8gRkLjhIe7Kp++ohRVaffhF7AO6plOdZWxzBD+BeZsm7WxlyhM8we5IP3kHjeAYPWr9zuEksZQm6wK0UJ5d7gn7J+R1pCSZVXTh+6nt1+maAHqcq/PdY41zMLCEDeT1Do0HYHviQpb3zUMwSYNBeKzs/5JMzcOOa+NGGwBvTTgAaEWblc9/xJbz7NN5s49jBbPQvUivpJRkuEssZeMmNjqSbaVjQezHwXWgrg8ZvjEmqBY5B7tJyJg6QMa6wx/fhJ5kJK6qvPkH3oSZTDgQmSbJrbxZ9mzQxxPyHSczXtTAqYEI/16lABZucPnQC59Fvf9pwfLTESFg8lMOaISXzVN8iuxImbyeoEKdwhUe69YGQVsH5OOpS1E46qWLaA2zr4GCYCzDTZrwI4FkCR01U521VuORknWXtufScAuuj1s1TQOvFJbVShZ4XPnaFsk8uA/2cXLKCnsq1Q8pNhMEpFNeWlwbyF+3RKmf7+OAWhKXZF50TpMLXUptdwzY3F4E81ukwhZtY6j/gQ/jfShzieJFNA2YF74fK5w3tan72rCalRD4yVBDT9F4pvWgb2Xqz4u4hoSBr/s0K2O6WRVnFXvqgHY01pOr4D1cLvCC8skVNTHPus4fReCXg9VX/RXbzybXY7FgqhqrYdRpsKRivqB2rTumodAs/gLGga29mdzVTIc5NVSH+XHFUxal5Lk531z+HDKIRy1f1g1XLlez6aMJs8N9NkMcFkoDwqp2AI7CQS0aQmDbJARBRZ+KasTS+K8rfcLzpdTqBa0oi9AGuKbZBT68gbyApu3HiDCUBF5mHyoEsayTMzNuvaHBzZJ6XCVZfyUTyeXMjqNB+pCJQCOtb7jVnsWLV0GWhWtq54/y51TVi2499GVbOTqZVbU9fjt9cag/vKaywTAQ0MDdZkm+f8t+xsZZc4yPxAaUOZbk1SJsjdIKHEfViPFIBIEsnj8CxkS+edeSB6VmQ9KATdozYRnxLFYDtUWMokbVOcU2Z/qrSNmCzrEAEhvvU7Wyb+TBpZbnhuRwA067awtlS/gjTgzbykTyPXghk9YgYTAWxwcVBv8x80bI+1apFqh7NjMYMk74/bGYFVDdqapR8ipxKyRIbmnxCkCd0Pt1jfZSMcl3jbb5ThhADYKUA7vsEhgF1vn/kVn/9JmJ/lcjLMhKdILMsQyBC3yxmX6zTSB6fj2c53TGuYLB6ZDABm2eTLWhk0hXwsCsenwr7VBthDLWMYfkpWzL5QCd5ZBa3PDoKsEnwGFyBnLe8pcx5t+gbc52QnlVKs9ax0lmX5NLU1OGiduFTUloxD0Xr88UWBmDacmaJNLAAMhnrvgLHBwWu5h2KHF1ssIYu4DF+ky9vmSfWh5SUWu00gmxazSP4ALPU6sHOPnWMmESv4aeNHheDNobxEjeGKGqmdexwPYqdiqYiTSGzyEa5uAH4Mk/AwIa6b6S4FRw89PVIFHO+L8bpx+BorUWtmoWGsQFCYcE4NUWlwnfwC26OUnvNCe7MI+f1NydwJNsacmlhUxNIF37LweWr8ZWwtytjFaJVa/XxNg3lm8qA+FuPYQNrMeLFYyNksSrCuvXpLiq2SOs3DkxOOPKY+fDneDR8xfE9Y9y2q4dMkP3vk1mdtppa+XMrPx/AIaZ+AGlcrAFt3hfQN8ltovs0AVQRntx3mb5PgrzbGbmSnmxzmdjY+iJ6nRHPwM3m/i16b5adO0oZa7Y60RI6yWdl0smtg/1AyzJGVwMGNAP6oYY4qglFdPgdpBPIxCZ5pWcxJJM93wOIMWQnLloHdRxJ9r4b+IibSZu0a/JcLTyUBfTa3iQr0iN4KCCExt8SUNhjPniedWwVxt54zHgdM6vDIn9IS/jrpECIWXdXHtd2pMqRiw1Hx8qVHIxwCpeNV3CPLhd97erasTYX7Kaxa8RBrD09UppMZ5cMDmS9PB2DG0tahVJxrde1pbRTQmpdxVoNEK6NzcLAWTTazeIckw7okkmwEdwZ2ODoM16Z20wcpKkOCEtDAuq6HOxl6oSwMmm21E00hoG1bjGpToumVI2fWw2vNUQSDKIcCq54gF0Sl3bSsUlaxgx24OUowWp9zNwZpLYir40yDVasoSUgZzMDDFVv1aBwCVrRj9y6rmSjJoZLmvl4TqQ8KiaiiKHLSG3NnTqi0vQe6IJdIKOWKY50R/058STXbjjf0aj1wuVokDe6Hz50djoSGE7trR8iQ8jaNsQkm9CCLeNntJEiHuVSwUoQKQq2JROhg/1zilsWg1LEkI63UhlwKsFdvvnhQla2FV8UCqClhlbg6YvMWn9hH7rBNbdqLCoM99FEUHrM7+FCRXt401zcbzfJYXFEIcPF4mPhuuYKSQDTFDlPEl2C+Mb9cJULyUOc/tRFJX/xaQkGBU2ohLIRHTHTLdxQjcje6MsuBtg9BywUuskkX/0gJqC1BdegyMRyhNEtkkyLU4lDx3HY7qod3ANw5GFIRfk4pi+uDkSi1Vte09AxENDKwQoMa2wKjdcE323Y67evGzh6efFiCwUYNIkh48CNX47k4H+IfRQbMHXarGkSwtuZ1fQAVpGCRebJIsNZmv+dTOHtCtvemaauDjLCFSb5Q4bt9SVGmx/XTzwfwaRZjwYc/SIzU8cftADC5V4l16JU4unKnP8UO1Jko1bcUaZBL8njTEL8hE2HMEPjdwfXZnZIuhgvqnbSghGPRSMd/oq3SaG6uv2+QQv3Q33pNUqt965Qxl6S9zLrNl1YXKMe0MSFNHh/Ctn74KGmf9rMsvgWkJ63iFq1NAbtmgQ0ePsWRKAGZsdLszPy430isaRT65HSjlZg6L/Qij6y+33Ao5Oih3av09eHVb5vKMyZEPHQcyWnBVLXbH3d7MdWZAi3UeWKcZP3tiaYI1PCUBC6Yj/KoNj7zeKtTTZlLFkBjJi1gG/pX+QjMFFM4eaxNUVX9Nlegdlz2EL17fvKWokhfZ1CZj6sev7Js5tRISu4xPZa7+KjrfojO4L5toXseVVKK6GK1SKF8lR5bR7DNmggyypsDk2DyrFdPXfkUJ8lBCUeJmQmYsnkoborIEpuGpLv7h5WV//16BXGOoN8k4OlJyXwJu0mDy0hF2InkLSHicqXk+a+TrCOIBL12u4nJKnNUhnkrLZxfWjSmd4x9lETW4mxTz5ofon6edGa8hVv06F0TEWIRjvpm+7J7rb9EihJ8MtMGtgSYn0iFlS1A6IYvQ/YlDo4sepK7EwrYTlQuVxRwMwM6s7krClzGJ0EfIm5Bi9Sp8WTty3EafG78M9yH9G15RFYrQX1PysFDs24fv3T5EngQAdh/p3wCpg2NRwKbosLb4oTtavxa8zE3d4pCmm3ga1ugk7nUthUkJe432OrahNU6oddRvKgKUkceIHOunEGgxSW6Mra0HE9HhCqhas+dFPBbUO3NrU7ZYkhZqSnN9myRYVZUBgtaWU1kSo0KoQmI0g9Wct4mS9vQk2bTAvLyQf1s9FxXno1hjPk199ZghLG+7LciqGUgN3oJoa6+zNtes+NNwECsGmUdj3fvmuQtLPEhEPQiZny+ia49YnUCzHjJc0bjyajyj7YwCwGxkrDVRiFA3j1RVWe5LEIZSubUciYre41ARfRwxav7hSBX7qUNTwCDUty8rjUvvyEjDV5jfpgPtDmnOkrMYtFTkMfyvutHqUlYB3GJZvvO1ASZvK3In5ixxd/XEglpqTD86IwgjFSHlsvlN1Uqbt69XGTgooUvCryJBfWYUR0m+LpKShjE3EnOjcaXRbb2yXmpZcqmHzpjpunsoi1fT30zV1k2gyzmoM+vVLBGLINNRmrN8fXyp8S4vN151RNnQOdo/T9ZhA0NpvTF5CHRdiisx1VlRmXVROp8QQtzos/rWaUl7frGl4wwLUDosdZrxcg5JylDA61sRsZYmRE2VqZnYozCACf79q6l1+u8OPIceej+SMoGyudP6G0XU+0gYyspRhJsp24sTC5TiRj5L+RAxNmIFLqybYFawk26IBfjSuAJqv2V5OSUvsanqKFLfERY3MQfOzv7ge88VjrTmfJX+zAeTIFMb59YUXH1ZAXyvKqXVi84h6LerO4lQfHpepw/6VAubhLTVvsyTDvgArDIfJDOUFe6Ikj/MfTJvSK8iF0AFotsC1+8O2z07hXb1Npdq+6FFtl03NNRh0MZPYPOhO1emgfjsYKBWDlKop794pcoLOkUzKLffpmYWuihAMFygusUWhGUcmTmYuIsu+htUdHdeZzn4VbjO9WcpX/sA00n/d7+XU/9AxxM746xp6DREkvuElcmQIVaH59/wVGgKw7iajJi7WzWty66S7lSYYdxsCnwxJxBbd/DAFMwvuFDi9/yobY4D0MH04Mz6/HWuSeovgQEwhFx8xuJO0zU/qmBbMXbyLj7Fs/KSoAZ8/+DtR+tILh5WWS1wHc6PnOjkMAvVzhQhZ6d0s/tyiCbFp67VNFNaZzMSEzaMXiULKhfka57PMnFKJV7AjXHso4uuwMc8eCfNFnouq2/IRY6GOedxC+fOV53RZkkUNl5AkySoNhYAzs9VG4netwRZEDV+N8eoo3Dxp3rdkC2uEhkGlibJttBLARVJ9HJ3CgYFl7z3JCtxJDBjBkMQql+WbVqdEPvQgDu3mKU7dC8JbakbFwxSy17AsYR2iXUKdF8X14kjIz6kkDJ7OErgGqcd5ll9FPhxlkM9zeFfp/753olCm3Tb+X6wtZ06ziFQggyZ8KV+DRTiyGaLhmK8K8uQz2I/pXjKZf8vtEeOSKivz25fyNdJEPGmBjVlsSn97GUngr2O9sRVVHQpRDh3CVjwZLAM+eJTUhjxm0DG3hWaxsX1zdqeW0WLLMDuPavecMo9t3ifE9FDLXZWzIhPDIFhy/j2ENzUIX5VjfHwIPqFam8buBFRVcskeYx6yMUtei24qLhGLFQVRshrBIX2zDp/UvyD715Frr7nzzJ/TnvtxOQ2a0GHDJc5B/ayBbYKN8lE6uZTsQ+2bZpX61EqQxIAzF18kde5bkFyUhZUVkr0NnxV+y1R+XDNOCt5cImX21UDDdKKEZYowk3UCs9vZnXtv/UN7ysFJMmvDEPDLhjrZgJVYh9kJBD9bHIJsEqJMTCsoo2Wxb1ga6vSZDi/Lx99fYCp3zlQOc/BSGKCY+E8wCzLUVluxlCrNfuoLaBeEwCMABz/zs95T4vXyBwXnUX/2B6xeyrxwL0i2KTqlg/qK++Hv0mgg/8SCbt+YQn9UTz1emWGtPp0spUjuwAeMtPAG3gBDQ6t7smLnhOTXYNmUThmGFVl17u+ALCa0KiPOk6rdsDd+0UGRtabx7gDFJjQ/6wC0k7pVw76iFN5MX0n3ZLh0YwHQ+eIZl4uAEa0LfsCNQeMHF2MMKhHHQFRtsyG8VdxFnSWouCitQR3haqqpoFNlbAsEXS5QKTPOuUKAlr0V2ci8toLoLe/t1uMVXKs6FzoyhMVyjRVFdD262G6niiQ223s4vq5/K95xsepkGZGIJ0ZsuS1zViP6pbOLq5r8tRahFNBIIaVCBgx9TFX7WKxjQKRquor4bKqCfbXjNdlQFqrdhyFFvUMm9rpo4TTqBQmbX1zW+OO0+UG6ZJYWdmHevB8M0BxBtl89fYbFGQI3dHSQR2VizgYyejBgxZryz2qW6KYXu+U+uttELTbOBtjL+AcV/K1/J2+tsqgQl/dWPQhyj5SH25oBroxaxbneWCgQKZLv1/gpGL1tUr+HwMGIJg0khmHGM6vDZq027TVY+CQJATENTwOdde8WnLhJ09G6cqbYEsWbxpFmqd8AayTV/AP2IIK9AbsScgWPL7quKOSxEFID6ze9LrXRwakn6EGPT39uudZnThLo0CdbvUhCz9GK4L18qU99SIWVJ3FRtO2lSKK3VlRANvjCw0B+fGfFX9dPtSXnsPVd51RTYvxu1QlonH76b4gKgnmti7qygpjB3PWGucQysMrsVTR6x7eaIo5WB/HGsWgsext7TFWL+Mg71C1NT9bajVceYFVg3gOZ4dSGUFIBlxzToGLyIzCEokSokW9XGxPIHEsiDJljFTbonpaiEyr4KuG7nEbpKJZ2e/b+DeScuOBc8WguraBmqI6ALuFuxEmTohJ21IHKm0VKrfJRMadQ0N+UhiWOTSwf+vdHFXXGS+PSsfZ3VXqNaZDT69HRhmhpSMQMIMtc4tjVQUBra346mYgp5/Peq5tlVJZ7W0Jyor5p6x8A7oSPYw7dSGPeFji6UQ4IQrA3iK4SFoVuF+QsWY1XGUBkgaWYVCP0Op7rxgnppg6MEe0WpF+moukKLssAQyocyNjSORMhQqGsVzUYPGt6vDezK5vObDYJg3N88e9f7OgNzfNmOOnTz4N2O0S9vDB2pvHNu2PnVNnuycnLmno6ziHtTdiyEpaegcrF55pGA/dWyCq3jE2c4THjXh7Qj+DrBSB0ktSpdDpetMqXiRlzKcrGdNALbjcSWwuk+oywIPwJIAqyR+/MhRD4sq1RF1gnvNw/cS7x1fAeAN/SFq1HUmdvBhHsYemBbm6n45CZ01BL0fthU0VIuKDzAz9dQefSRKBvU9oGN7iWmgigq44IqeGemaKAmRYPiVLH+1PFC8Wh1pGKIj3Y7dTKxJxzCcBGx83C0dj1JoquaxBqXnHKcR6uWdrQNVnZHbh2zdn8jZ4LHAzXZURKzNfX9gHR5xDVh9O38lREuGlCv69Bq3I0K2ez7DL8jwBu15KkW6V+3zeEBGegobOU1r7tBiG69JxCqrAlSKRqn5kyuEcPmfchVTmzXstWa0qZaWF9tbVnjuPnufp3Zao8TJWRYp4XGHmcqNWIBRiS0zcq4ghY1vgq4e1O6rZqfngD1X0cm77iwMuzMNzPYnUEhKt28bvKfZkZde8fnDYfHf9vU5bl2oL3Z6j2j+8+KUBpp8lV2ru3oBjZgglqZ8I6SrlEWl9ZHZ73cVO1crOSPdJ3ZaVULwMiISeZqgDFVxt6R5ECPBasiQ40XBjtg9B2kbDatk2DNLAac/M0bXc2EhEWWpBdpnsHCgzzCpWTAY0VzK5HPiL2A02sSTYfm6YUmfkzyHnEqiRIK1xAHT9IUpeSAxL7IhpB3QYcq2IpQunWgxmxU+5JRipkCHhbMMxyIs9blnzOm1m9bRU9/7zoNUu9U1Kaupqr7ebm8surWDcFCoCRVcpon7F8C6YvIzeOJrJ20KXWdKisD8FobbUMOFeNjksIV9jFVT/YhoWStJAqoCqviWyqWva02TzDMJ1vv5cipKGVicZLUlvGkS8VxuQaa0JfC1/asi7X1jqm7po6QMkLa3V4kCpINAZ4OJgp2CbDnW3v88DbBquVzCxxUMXn15iferdxcZoy7GvUA9nLIG+aIUi1uqsv9nZch6FuqBmKssADxa7iRXLFvkYIAnmXKqZagucg9/CMbrREKSi+wryNjCGPQsjpeE1FH+6LKyMpG98qYDZZaHgOkYI2Q+JMDMIFcg9UpZZANMkN/LgoucEb1slA7Pqj+qUD8Lp/FT1WWvESnNrYVB2gg9N9CsEkaotsTeuHzEPlSNCVai0s5MUncqcQZWBasxyzsQiki8lnuH8grDuOrWxzg9FeET1pxLdFdHLvqHo5Vb4ub2z4689+EwyZ2zmsHg+o2A6eMCwXsslQVubWU2N2HYaYoAzBUrVt1MBNxcKo8N7MA95Dz/wAN1FEAoK4/rCvzQ9JRGi/QhNBoV7EUfEEpwuxG6EV4dNoS57Hw+rMoyB+yfcmKKBxJnQSR/3j56pdLO+VtzLpkkyGXC9f/KPuG6ZC6kT6as8V1QlMxljrkZkqLmNWmho/+OkxTXkBNsLpSBv070aUWX3OzdVtssxL44mBK9Q0ZZa1nH1IQh4HEFd+NGCWgSZAABDYfJ0r59+Uhljc3lomZkn3+FvVomN4BCqJO3gzJNpQv8yrLUryc20Pu3ORCKh7Z0kv9xt7TJoYBEzi6b1L75ULHE0sZ3pEWKGZdbUpSrt7TTjhSVbv3RW56daFz9K5hQx8WqKbiB+TnMgE/q2jYplc4EG9jXlpvyZ6lAQpZPc7RhTenO9NHV5v64I1ljSqRHy25ILY+IbxXGsBMtYiisSX9Hd442pzWEXqVBD9s78C2k7aXpdAiDUXTbUzR17fO4s5BTH6J0lnKPRq7cJfNO/Z+4H06uxiOqi/E0J2pcJ8cKZ6tjOYWAtd5Bf3WJzNTZzVyqN1Wfq2TcfKiic+Rb9CKuc6U+RL80jlCow2NZ6Z6a+IwpFP+NQuzqlFhnTomeU5IpcuLkoyIYq3QBSdMLFaaLQBLyrjMcxlVYTYEAL/OQKXOeKIOq5/Vse2I4pdMP0AyLkFRkrBnOtebY9RtXl5avvP9e1kUIEMBI7LTDOXPtpBEHRphLZnizLCMEmylA70lGp5nFD2MCTqr0DI64O0zloVZGLPl542U93qILMMQUk/bTetJkZ5uBYNr0fJfnSpgpGNKLBQFzV25qZrJW7MfSuckyP5eXVvQ4Gq4WDqiYUdcanRElaNHCyFU2+PmVCbLscfXRbVdCvE0zWYWLARORZJiYxyOJsTImozkbYWoGYshSPDwKnf/VgMM8//zDnumSfym3RqwYmBbBY8pqfkPBWnuGcpGWQSlhD+3BLHXjYlRho9S8HnL2tellPhhONHOAHxEGUGsVWVmBR1qSCmnUrZqtU8nBgju75iV5gGS+NE1A6rkIQMYlE7b4ajcOx2i85gkmibu3ApRs3LzcOvVdqcDlVQlRtBNo36HpojG7YlfOpc8RGpmd7IThVLTqXhovFIdo6xqJEbqOWTGjsZhvgIwGwV34Zqz3ZDxkz76t4WElY4dfOZFIXXkrtluEfY3nRwsOW9xw7PnyCOh7tqF19fq1V4OqG3jKe0DfUutthsC7Tc9sn6+lm58xtrbWgFPxbBJEOke6xm8J48bSF71RDmcfqH+BK2Izl00umLU4hf1Y/Gj3mXeJo1asZkMoED1Bju6pKYbkGmNFWY5vEJcV6RmRN06o/pR741L7Hfl9NiEndvW19my7ZM2dFL0ToClURB2lzalDLLs1d1Ys9ybJYkIgmbHk2/yZYFy3Hh7/kCCZp+LPVkHvHjYb6r9x9efk+W1EkRyZQv8eA/zuGreKZkGbUQMxpajr20piu4y7JSn4J1sqC6KQRRUoq5Su05VruIlszMJVpUhjPwjAJeykN5THSLHAzk9N4AEeNgYJDdipmBTHnOUXDVet7HilQwdGcia/9xUEO4wBnBVz0y6uhMu3eTZIYz7bAryLNjWnmhSEmWOTOQ/g+5Iw60oTiUTNpU7wu4/DCC0BKBdjQO92ZCoIs85h9uDumYr7k7Q5j74BsSb+3mSgwj6tC+Qz1kAmd9Q5v91CLCa1dC1Mr3qCdNK2UF6mGbKRDoDo99qRA5AYfnatc6uBKCIrMZyvBy/RTipzwoG8ituv96589V7UpTU0bciVkZdWD04tgFLoac799/o6ZfXzLSO7qEL04x80qkcO11JO0qksUMUZEnOWOttY52850K0FdR9x1hPpu43Z4VcpZIk5DKt2kWL5dx9RaKFJS4qZxzxvBiUwPxkaym/Y3zHMXealfwbqIb4gP2ZGHGShl2Gk/A9UJgDXz0hd4ln8TPL0ksGObpT3lI1pLxz27PKZWmD7CWQmP659DaRTdonImp2uaNYNudYn3OMHRiVIP0aSxAxM0GaBjI2FwhKEigREIvM8oxTzPo8WAOP/y8mZ5TdwKQRh2YoObsAbAgsCDhpMYM/OocTKsNUghp+48bri+WViLgqu1tGj94vLer5jVeQ2ThSHaWt01eFltTjVqh7cACmgxobz52rpvo9ZGex0kh876K7FTmYasUZf3rwmsiwdKY7ehfsjalC5LrL+S/LyFhNTi4Pf+R9xwHmIZnMNYVIfQr4CPiUW4FKRpGci1iE343wS2EHYD6qkdr+qj88NhZlFP6EFsW2KegN7ZXOdHb0juDbKbVMrMcAI81eQOilrSs1pKpExDBzlUkaKo1glAnd/XHYt84mJVYEM0rrBW0TzI0DPjU1G95zbK0JKhaCzAzlL/eExN9qkT8mE1zJvCohbjCsHBR8rrn6vwzeN1mvCd4vZwfXiqh9yqUeoKFrpbAbPWRcRed7co02tPqpJABn5UBX/XzuRtolsZZwsCD5n+0sNgpCWTj0M4AKDuwrBh+ZJnnTopxsTYGMCeGAe5M7raWiGwf0UD2qdLnvHGWzu8zhBMOVbMLHl2/FU6gjXmyLpYK3AyT+BVq0XGKkceRu5eMqkB8qFx6qcnFHYmK6nGSI/rs0ckiztguchOhFJdOC9tV+1R1sSOblcS7/MYvwRVBLY1wihIbDYOWnYQoUN77UdMkpuUnMrG4BATwrs6dWfAwwMQNbZ2jyDSqBEOuhAQLbMeYSaSiWlIRSLayNBzurtslARphtl65Bx+Y6OjkdF1ryvWl2IU01HQjDAOkulin1YEa3A5rB4ZEaGu3yaSB1G60KROX1Rrepxpfe9XbBvc+bdaIYB6RCfG4TYbaY6pZaFRr7QTnRlLvatihMnjGUsXJcwSfAvPeQygb2QBHRkxd+vQ0jJT7obbE7Cmd3oUCn2WijyJEWDQjVLAnNZirxSp75TZvIVfpXJ0YDKpRIiI/GaIJrmG1xNy1ONSywvCCikubhZICgp1kHvB4FbJmC9gm1eDV3oePBwTqPr9fZNBLbqaWguodgw23mis2UK2Ft40BoMaCuPpJUy74X15/z4irEqdVN8GCi/UbjDf7rPCHjL1semokJ5y81y71GcZx+2PTLhLRPyhEz6mlol3CL0AbCvxgqpiwWQp3X2LgS5g1tAtUSWQq/ZeC9i3pQFuR03jnyMbDlxU4q9Uvnz2Sx6sS9LxCY0oqHaBXIs9xtd0c07lqzI8Br+IwqjQYBfPR5G6j2iJej73NA2UJvrWVdGLMsRoVNEEQQDwP2M8rH5umNbheHWjD6Bc+bbTFZcmcBE9E7VR7pwg6g/FFDNigXfSApTPEpHtJOa3i3+4tJt63mEQycTZgkNIQLmErICNnmrRSDJylmw6nrAzPnFOO2SZhbpusjM+j+yoJHBX8Faa2gBKRdxDEVZSomtyz3Hr2ZCwskSBSeqad8ncilAlGDhAZKPVV1UhtBqztBWSpHipc0HWuWU0ZBqOMeh8sDPMWZroBaCTdvnNvU4mdJuFSSAq9QMKg1ZL8Lw+fP27Z0eiavsUyCYGgqoy9Gklhzynq83zgbSwXjAb8uZX9SMMJB4XLcFPebnUEJrXN0tMAZ4wpovVB+uKZ+Hkqp/vLRrPROqV0yWII0gepQsWOxOVP6dhhqmQnpFguHnhwx7pSgHeNX5mPlIITDG2UdQhDxZI56kQUo6wvL46TjQY/mrmS1ogkzNvUFtYn4jHw/+2UMgeMxJbgdpvAqTeWq3k/spU5FEI4+0WE9UMRuBb5TZDQuXVQ4p88i4ZW87ALOA4mtLDq3vDVDjhABa9vYDhm46RL4yHq9bjCJFFnoYIT1JhGqm41Rk3QpRkg7p6IQDrfGkFDMaHpwNgs4SUxRmT6rme3SaRFRPQz3QnaY7K0wA3vOGnoAWVcltE9Ctyie/Kn5xpf18zazmlPb9MTe3EHf7Q9Ek4zFxlXSDkFVlURfa9bcNS1DeStF4ftXzOj8vezDucmPogepiIxTOl8usAMIcm9ZvU13rpTxFdzEZ+9Nk2mnjBEE0+f8OARFaoivz44vzMj12nghMdIhpho65w6wN51RFJ6kZdeWEb6eiZqTtq7rn5xtq3SbaolPAGJu7CqCb5vFhU/RUdZSP14gkWiTVCT3KgSABsEvq4x1h0XVgRK8BGUrmUkMLoxJgAW+cGeQSpylLRFE6RmswyzIyjGAB7s9roRhrE38oTFI4qJKvpwF/CXN3y+1rOActmuXlbF1r1vVz+lGmd5nV+7aUGjJHu4xEzyy4llkXtuBcPveKmJE1YGlkJldEd9ew7TK6mrnt4/3001m6lInbdN0k7Sbhi9kwuG+Eunq6roCLB6QmHlOgGB+0ZEgDrLwwUOPYHRxYFaEiLIlXbZvWF6sadThaM9dYzQIA57fDH4roNGGLRu26dDGuzVxe8amPReGzYVYerw344hmY42917HNf0RHRe9L1NebzOukUbd7bmQApJl+qYXSNpZI3CUo9u9Iy5QIZ8dGPByDZjbG9LbGTX/NAFVHGtA5itJBm36Y6bhC7FXkE0ePzCUVS204f1JJnT4pqz3YygbpcY9uKrq8PXRkXJ4DrwPwyV5Pf1L3tfSiWB9diGQD2HENxjZXVfk3VwFGXDx1SuxVg3c1dCpvLq93OU7JoZZs+0Zam9YDdAnkNvsJBCPj2csh9LnGJDQaktz6Pfv2f7LQ0wMmUi3eQEJAYig4BFiWTh4ZQ75Wp8PXB63sZLJenp98f1kT1X6utjq6kSK1ICsWSfCkc0dMvzgPu0z8u7jyQfFRTwvkwJglCoBZuaHgPKqh8yz7nSs4F/YojH+0v7LcyqHeYsGlS/JHAgQ7aA0xvYGpMbeRD7RcPVNTRo25dpCVxgrsw6q6dbwsaJKqRQB4JK0KdK2UkcjPWrSvxVN5e8N0WlSALcf98/nPmoggSf0izRW3+hRZ1WiVqZEmUfSK3Yh6lu350MAjLDMwyvhsW3v/7guZo9S11fdAlHLOgCjied4XNcgFXa1dyyjh4gKFwp12Z4cyAiaASyKVMpJOwfMzV5gwJ0KVWZE3T0Wz105VVbkk+/dTI09ZZD5Sg0Bs0kmylQ59Zvz3VjaW5C9QJpTlqmjLcbWSuLywc9JU8fhbU6G7ongihznbqYfwhiZ0XUQlDfi4yLwQdq94w8yLXIcglrbHQQ1ZgRYpUV1JXaMA6gE0q8GNSXn1GhsvOwx5HJurQCE6eyez8Eb37ndaNCI0irDMFaFTpktPur1lzSE8oPQAmDnch/9OtP+sjIAYLRu3q/j1NC1WRopuR8jam8iKml87xQ/AEQEZae9akbnJ5e37JervfvE4eBXtiQX0ANgyD+srz+9q/cIr9zhAnRDr+C2F7LAAePWKuFlwYCigXyaD3H12hEMXzT1EHdUiQyebKpqvpgOqWG6QlEM4LaQOROHsRcj1nIYaWuJMeZ07z2L0wq9p9enxiotLoknnWMTAAEj8zT8NWLSNltSAf1jJHX2crzA3eeGo+4lPieEGuxW6zHeKnUg2gSLLDGCBqg9idBhtRGcFIN7kMNXSdmKK3Eh8QiC4Cz2BIUFOolwVrC9Dxs86oO1k7dZuz2Eb1tih7Hs7ALvjb3lYkAlioVCIbJWSXJdFA5vMAzK7EppIEhkSBJr6phQ8dAEhPDRm6p9l5PcrinatHAZaGKT1F2BANiSUPt2ok2BAN0pWav0gFfRMBtMvE4nivZWwkex4I5BKaP1bGRf2HEYvw8OWf4GpnEVGtrMgzQUg06p8I0nKWw1Om1ROQWinViVkkaxZlx1la9s3JpQq3SjIvenU4fg9QtGeC4qFHJldpPxXLT3VTlEff4n6YTmBCm90S4FMbNPA40cWAYaoLj9DvfR4CXYFCmhyf8I7IKJHJC8y1MMhNKU5NpJvuwEcF3pJtqyci53Mal8b9Ja8U4+hw/zS1/74Pf4oAH2OqQ6Yd+CaYnfJVaQjzbLKNTowI6FCRbF3RGl7VV6rLBKEcckFB+sFCpacTACDE5ppwbyhWR5WB31cWCh5apInu1P/tp8td/mqcbZ1POMXqhcb1dpKBH2+adO61MWcZGtWHq/ZQiD+QuorneGq1/NsTUkXH1pTsIVfbosAkspuU2wzy+HMXht2YDeSogpFdtffIyw7W3H7N2ziV2ChoCjeVCY9FPpHhyf14wyLCQQQjmD9f+nFmpKW+36YzgVQGXJIF8NYBSGaEe0gLdiaTy2HJmynbs42r6MPYBGRDPG6yMRWvz2i/TDJ1ySEV9+mdiH2O7YaKNngCchpCAe9oodrnJ4sMpE7qdlB/K6Uz/UyI1DQuFIiGsFWppi14EA5JNF/60WAlSz9ihyqo/9CDL+VWbrY5AREtJnGzdk85m1iHuQddnNBTyYZjelkaN/7e2c8m1HEnScxEOArwgcBW1goxZdw5qL5prXEigAc0PWjhd01qBtALVHrQFraHHUkLQIAaxAPH//t/MnScyqyIiUx5xeUh/2svNzB90QsFmo5nbdgfTggDnNZpt1q3ox+NPr33sy0BdpQ3AFIKVWNoSNAQE+DsfGBOb1z0wya8hPbUuNxQZQQXVGienq1tqeoeKFLt7RVpC6NmhIJIGAI0eDKEGYjpb8suABmlwBelEBtEFgGHGJqepuOcL3iVkY9mDQdTtT1q+nIVyiVOMJelIDIQwjrqPVGTWzCUyqKzhhXQ23CCpKxH2LmyazbGSskYO/I6Ct9OkWV8bZh6KPGwAce8TizLkSkiVBGYXbLjPXg50qdw97DpADoM8NwVVEN+iJKQfAtkMhcS2f3xAQ9cObSw7MRkL05q+0kMqczK7JuIfzmhdZpCLnYXmoZGQYQY2WZhILFUV8YsWdBgqqMnp82tM3R+2D22wDILY9LnOfTz1P+moe5wdgBPH1N9JYxoqZVoraHjnTUf4ngZ+Y+FmZnYtumuBqEp9g2YkhbHRBpxlFQ7tZQ6IrjKjSEfJTlibaopKJrxAk+mtypQVsca8IrG4DcoXZrm5DIsW6al202OhYDXh3lznd27NYoovEiai1j1gTN2BWenEWxKVGzFSUt8C280AO3SrmmKISS8r5K56WWbSq7DFKhbnNLJlHYtCHSzbI2gkMmwhe0RIhEJJ5Y1zeRouUH1+82BFsIn8RYRyP9ytnu+BSGUMsaTJfFU7N9iMrVaO7ybKoznj2Lk94twEmn+AIRnSqXuHRHOWrvnLH2d9CdQZcupWrcijMvo2MYIpSkHt9z2E8WYA883DdcV6fPYy5u6AeKeFqsXyUmOnhVshuZ7nOsyEKG6Ngj8jUeEm3eQOg/QPlrqNRoeRnH5SDUtPm+WxkUjPomtnQtCSGYCFTsxKF3rzLBulg+Vmfy0kCDqL8WobgASuMixxUtqRdw6X0QASghpx/r2Enz03RaYmYgYjSwERZplu72QFwaSS7VBQTs374zyLoUvAHKpgcK/4LwVi+rWaRiwHEtHynWAS1GyqcF4h5+SC10FQaEfU7sUDdcfUYlrzoaVtdVu2qdno5BWavBqBkFnZ9CeJqDtTMxVcnPkaUycPU1ALhEKR/25d0Rm9Df2X0aoEUVwHGte2roJXykNRIlB3CW/1GrW9yNgNodmHl9Dj4chFY+0utwNkqJTB1Wp0XGpMlUnlCfde9s0IVGSKzEXPgYvzKEnCEqm/tIYY7N1rYYfbqH2ElGj5bm3JA9eyviVBLcZzaLH8WqPzVtjRcz00Vf1Q+R5NfB5XZdw2Te0Mxl86xk01hI3zWI3FWtaD9xLrZkmSPSufsrRaMYbKJii9+FpwLLNODKshp2VmizoIScxhsdqDMBCvxa8dI4g8XF7VE7ubJL+jQmg26J/73JtIZQIhYRLh5BJHmqqYWK27RowVTd9m64yLeCuVjWwTUZmBtZn/iX0Oisf2s4Ly2H789UMwlxCbFKE8PLCClWaMoZVAFM+DzQN17K6VbOoOvml7aIx2M+nwQMn17Ph0qhYxF0rZWUh9Io1rMGfDdtNYOz0M1CbtTNxmLT57mJltelsS3e8WebyHq52MR63lFhzOQG0oZDjosq7o0qkaQYjTmKG4+FNt2qaZWtQDNNiVENNNpbqYQA9Y1bzijaRtbDSBiFelnNMbOmz93IZLnhhZQCB7cMEKyCIRJ2n1uC56QuYrJOb5SharNPGEtV0MNyAxgVkYaRCveQ3LdWU2FuqRwQcADOw02uaT8NnT45pjZyocED8mmhMyHKrjGF9UcWvWUNsXtplUOxmGhFZfBHcLYIyggib27yX746f/9drDfiksBUvKlpp8RwKq+AxJRonEJkg4RGAKf+qRtmES3A+OliF96n2qJtRtUENEPfNg2XdSUt7clUmlZhjcBrDkQB6RY9TazWtvt/3QzVk1OCwDPn4Vb5p3FgdXbtHzbRFQdcAkvXbwwheaYlIUJSwHsilAsrW0BxueB3C8RrNVl12v6sT7LgvhNKtnrkvDC2ShuHHpge5LsKlTBemoSLCTTPMK3DozGIucQyDNLDvT676nM9Q4rejpGq/WNOSaY9cWEvLhZBKh6YKFF0YTNlJ7cWsmD5NxaGyvpkTHZdQngbRaTgtiinazbIw7F667AyP8wzv1DTcTNpjY5/7awX4xwON5rEeoU8p2bkZQ1UU5ug/k1ce7Lgnan7Ba4zsPFkDCNFr2xBXUtgIoYBNckZ1pvHEm+NE6nUImp5ajlWWucQFHwoeJiYJgOjwV6wBCy9NrkGxklrxiBEEE1KazvF6yhMv0BvYLR1YNd93oTbUyH0VDPXIUrB+LqFyjaQpHBEY3IqoHPXTHKQwJQMZNNQKJy2MWGkYscnT6lM44h2KKhLFHSd3uSijd5/xaOd+jN/gTX5gT5y8bLqUzSnMfsj+dxjlHkSyKLO/WM9pOsECZpiVRdkSJn2wviynUhyTCkgpkwja8dGlqEBP1hRUbsBi1GfCVJd3pmPadO1WgGlwef/0zPrcgkF0g9Nm9K10wOWq1Ej22OX1gsjK2ql7oq5wnS2kkDw2inOypIgZiLgQpGFJgHxbNQnZGzNZ6nZSaNHFHJeSYzUvxuLUJkaSk4PSwA7AgoDLXZpVNzTAzzVDJ2ozAJ5w3UV3EVfHWUFsGb0VAQaQrhm7CsGxmn2PEk/b1sFZnTkqC9Aij9edBMIwm814ntPFtcCDrGbqecpshQJvK98RbH2Zkdv0+6gzZAlhC/Au7po3DZsraj92EpvhC7t4+ET8tYlr0GAzghlygNudtvMlYfqL8Ar0Is5vzMr/szR0/1l5iGldy09flqMQSpBXHRVkoQf7aKn3mofK4M1BYRpGd50rBLbcCUTp98sr/+Ec7MB1cZ4aVhaeECjrXt/Zmb1aqNY+d+xMgfLbZxmozEq58kk3h7wOOqCRKTILBFgW+tu1EYdiCp7MwsqXBfqLkf5Mr7cOsa+A4dGwh0tkefPMKzGYnvh4/HNPwimqqok+w8nBocrq1pocXdCRiho5hSylYUEdV8xw6nkvTnsKkG2Euq39bIKoR/ZFS5Vqla/h/KP65HB5duTcrYt+JKhIhj3dsQMhahE1xKtbmNk/FujCDqIu+0/MZiGPnKFDPYiXjHTJPstWxQfTui7s51U4e2dqzCzBb4FOzaxyxJeBZcJqVQCZnliDs3gugx6rsbR5g12EUfYNPs7mhkJhGjHQV9rpf9eTGB97dkVHFmkNd0XAw3Pr5+ad/fu1gvximdrFCSLNmPXKYsQWH4IpEQ01IXSxtEsSA4CZuWXv8QkA9S/uJvp54SwtK9adwCPj/mjWNIFZL1bQ01C+OYEDhWMZqk+i6cKx9+GqZsEFV/9aL2U7xbNV+1ARcGq1Tjd1sGtefSKI8TnZudTgXc5AjwU8hsVzvtt7EO3itRzVW/Ji+JYXoyNLeVEA0AEzUm7puJSnKTyLgv3hVG9jAqGBTtNT7i03/BIsu/srFLIhAqfJvpDbcjQbMt1z7iwJVhVcBjAegnUuqopzkvIIFcE6ZX0cXy3UH3EB19UevlCus1jNiojub3yVeJeldAP1lJwMj81D/BpOuKvR4/PVrlg3+YFtnem0TT2CQ6znWcR2X+9ogmkOl4tZIZQlm1xMiaNJLqOW6WSTEnDhzqY/MJozU8CbBa4qc+ACMqIWjOGMXMPk3RiT+asAkIo26m2TryMhokZbKWpQoF19PW0DMRsvpXH9riDNNeRXLycScwGJ9M9ESIfUeialifBFjtqY4XpFlXD3m0WZ0UUfT9F6ckUEwiFduTZQCT0u0hymqyHBKoem7ZdSZkAY+6S88L3Sgt+hr0swCve2iyZPM0R6dl1u/FDDX3ORUwJAvAAm65UnAhc3sKzlUOzblZGVfalcz9UpmXU21Epd7iFpBSS1vP6YhQVsj1G4biIySRiR+9VHItMSS6JyOeHzdXIr3YYb+Lho9YrB1DRMmkhugLdCpJ8wBRaIix3l7YopqjIYcQzLo4V50qjVksexQJY9TXow7H2AtiiDBA5NZKBUuDBPw6iD6kSurm8jtInRr93Lk8BCFZUu3yplmN4OGXeF3VhbTWlbiRSh4VGMe9fKkySTRRW4gbE/eRe4os2stRFSq91SgpWnmAq7Guemw20yMLsB5WxPOIlppnIijfru7bsFLTpDcNZqnTBYQqAxy0bbZMpiy56/ZbsqXFqPQnkG7gPO5cd7ntDUO0P4s4gsmYpGI/AJqcDwteyJnWla07rG0rjoUvH48UI5zEv7ZLjofhPGG00Lw55/+z2v3+pXQc1ZqvEfC2zq9hv0UHPL71Q8Sj3bIFLHwRDOYemVEJDCrQqwEKJA44hE3nP+wyqt4Qsdn5F1DbZVg4+5Dn5VZWL+53709aKmMioJ5nTwb7ecR+hWnPH/FmZBNY1u2CeWKhrJw7b5Au7E2ad2ZRbxYENo0pys/s29+JC/X04+iNPofewF1TSahsS/7VSg41Pvcq2FB9oIaC2rpjuXrJBTNurYrgTW7oEWZ8EzwP3vQp5daiG9a40moYkWXleBc7ISGd5YYPu2rEg2W1KkzoFN8+0wfVF91TBnPatJxgaeKzUQQ2dj8gmhVD3aVOoSsNCOZYUBQRewzdBwLVFQBVwzJ49//9asW6/5Q63UU61bzFUxxBfd+ijexG4ZqxXT6lem1UgV37x8mWB0qj7UaBk9bNI1FUfsEO2KKaD0Q417RuvMIsbip6GWGbWSFwgiqOCtjGn5N02raH+/a0sdI5hLr5zNzSJUHpelbMd2L+XuM7MlU5YTXYc+qHCewOXRv9HB0DTIf9XbESU5KuWPIyxqRGeeYtNByhruVYlTUIhGaFD1tXlLCwNam1mppk+WoRCEks6BW+alRLSq6nQF3qRzw3RSCjeZxeoCshpJTlcX11Ot+7/+BQkVQAkfwtDkziZEe+3hmglki0lAT3kCbDJPH37gsXYNeVYde5Ej/DePQB4P1jpKqkNQH4M6bKpqkuQEZ1XC1/uPf+5zIS6AGTbEdhsCi33U7KKGaRccM/YiILxmh91HnS3q9ZV92nxRdKjNYmUYkjXiLb9GdIG4tNERi7InV6F3ExQCDrTeOJTQW7BNOucu5fsKYgzRP41mrpzb7P87YG1nShUutQAs3wbMaOvStmxeKbJ5SMT0CBN1C33bTMl7rXLqp/EQe1nounaCNhVdhyXLjIrutJ/mz8SHXAK9A1LggyENG0JOufiFQtQkl43V8XOoxH5kl3ogmxcnincWhlMHBHkHfKEC3op45Jomx8hBXgKvlWjmYJJZOMn6KbN1eaDR0dKMMqH220vXn7nwiLMpEoprBT1AmuUrF3kBqUl+cBrjivG9ODfhoaM5B1BjwRvDLq/7ra9/69bDVep1CjDGUmtu4VXuUs+mCedqbUwIAeItCCS8KPQyyFTBVdhy+ozz46pMARJQAcm+dUuivPFE5qbqxPETHVbO1SNTDRP8szll4gyOPzCt3ZbyYX1YlcyMpdlh+XLxsAynIgmB6iHTkeOrTp1s3xZ1xm3qDNFoaO90fiNXJ9CtqrZ2Tio6sqhZMFmE/SQFvqK/Cs0nQULDPhPsFM0GRKb/FnmXJpL8oaNDoH0qxSSTrhl5UnctsoasNBc3qabbRBMeHWMKtkHVA1wJObTLgXn/sShOOl6i4SSlP3fiQmf6UA6HAeTw5F8vIpuel8OnouU0onU/NzDG8YxAhBUFgami99x8cC3YLNFOFa+ZtSqUD9I4faGWcFfLMLRwij96EGYgdQNEtVSVWRSmreYK+PFvaxJnp99ULlLFBhmPX0DkujoJbnQW2mkbW6BCyTMODPYuEEZSBRFoeH8yIzuAOSK9HceZ+GSR0zjKa9MUgHSmMOiuZ7+R2AAA9vElEQVQJlshRXo+22foH5CWTG69TuxwB6sDXQ61n+UtBDlecHkAImIWyw5QW1cT5kku+Viq5kCKCNNV7vk73QFodIHMAMHcuyJIvGS74hAtqGpKZKfS8uRfWubvbO+rkfKFJFJLYxevxmHD524Ssd9RgANWAuSLyZq7lihvaQ5o+SqSnZ0x11ZoyBUbq4P0FboyAAWrLQZIurz3r7wXNd1CXatQd6gtCuc+4mSL+Tj9Dz1SLJlvLv4L7z7oXz9ItE8GpVCCokuaqWhK90HTMPaRQuvhNc7lB4DVUNYeJn1GK7ShNb8ZvyycrDQG4IA/pYcV69R5pCNSHj8FjSAGVOQZmikphDUOo1dDttZha4zqNk2jIPVt/Xc2KTM8Em/6OU3nFpTVGpjG2rcn4SQuFfA9gTyC6QJGNUjmg6oWcg0HU8SFzgttb3oUo1m4RMtcEhZfhkUPZkwjK0tu/DHweWcEvXSZ3FylZ6xTEW+SKi36wJWc4tQfVQkETjwVYG01wtTm1m6pbwatfJXLwc5vn9EQXPrRFc4r761HW8QO4fe1Zfy/QrvXXCx03UaVAAUMTS6CL6e77AtHQszYpXSxJCOWkLmqVSS/vuMfWHonQ2ZzMTSJsYU59lpNDxS2mb3yrfixnjdT4bFVhgWhzj9vKQNG360wqkzy5/APIAOpBBOzT7OEiBW5G/S+Kz7DWXShRVTtBryaFV9FwXHWmK2+Zt0elFE1W1pl8hO53atIHA5LReYR8ABmf+Ypoy4up21MQqUmqhDq8F0GATPAJAs6TxMkx4dOHc+oeNQO69G+nr2x0M6IkWblg311cZhBRKLWUIhhzuUE98L5IpRnGmlVv2swMQUSBtx4qZY4FB6ue5RyubLiF5upmcqlVbdG8Otv8jEbZQPU3N3QVOh/fMJdy9bpFRFCRnguy86NW6Vc3p8fB8FnnvKq+CXsHoSjjcbysrhl/XYimabihBxyTSuowiRX7RRRMwbRU6068BBUBCXNlbtOPsARM1MJtF2rdJUiudnWWXcUvPS1Bp/x7qFF2YS78KFc7IWIM9+oEOq+y196L8pTZtdNPmeip1VsFc8s+oq1aXEPMmZSwsikX0wVdEjVvBmowRKveu8h0YeZHzcXQKVuukH+LFQKRKoGXHEPDKyKNhCPJD9pNp74Bp2UkQQKKAh+k01IA2u+8Y4IPiUwKwIV4evYXs5exv9mlG88AiDTFYU1jOUXxOhNBxUQFCgiKKQMYs5QTVMXfRVWSdfz8LcM6vtWqkrOWgn3U7sF+fsiYgQMEbp0cdWf4jO7qSEXlFNaq6hQRQMOum1sNKW0CglgRUh3AtXFStU0r0bCGOprozO4RQdVpOJO05PL6YOW3A1Jifu/jW/CrezFnOpSblCGpEEUVHPYu+zs1msJUPvLS0VnSUINMIxoK5lwPIcn7G0swEcG0ERTE0S0yGhpYZT4FCXXGgjIZnVsX00qYoIIAm0aLE2ewUwV7z+ETSwXDQ0zOzFZ6mwiIHrKeqiq0H5yacujLBVg4Qemz4Qo4QCmuBRK3q7OWJuI+pF8BcBaKOAisELC+sDHeP3m1jf0E4B2ISwDUAJplQ+M5rvQn9/4AkWksHkIkC6QwPr6t0+UUWuCnOSA+PZ3hlEHVCPnAx3SCKARYS28yo2eOxR8wlip0k3aV1cJlR50lW82PffkeG5IijvlJpfQXoAlx2GMesBpbPnymZGFT5FTP532Vrec7TdSoEypKtWxT0D2aOVmzZKesNzwhF0DPGRU1ffygzfUpQdyp/3MougRHV1z1RImL+pVlYFuUvsIF4GVHp1SKCnnTVPOq5F1ohY4A3k7ZHx+Ljqv7ctolVYyNBzSY64aQDDV4xrCigqlKiJQEI2ZylEOl6+cU8gKZ5s0NFbRIyzxTDa9FCfu0zuZc3T4Z2GW+fRJDrxpD3LA7Y1w30rlmR6xiAbtnr3EcPNxwOdu/rasBl29Zq1OQbPbbSYjVBOpkoOLWGyVYWHNSEc/4bDx4ecOZpcBqW7orIUQdmb1STqoJgxLcnMKIwL0VUgCcpopxJslDi7oT5O0Ciss6XLP6AtUjYEPfEuUth8V+0dHRf8uGchtueq4qjdRYI1w6tDQjoYY2kaUoBd56VKof6S21ISBTeAK6zyIluIoxd06IxE2omTWYmvylhlQ3mXtk49moORHp6KxiBdwgggZ/Q8yXxaSwsjpNlg/UuqlS77mH8AtN3VYRqSS3+2k17tToPHsCMykadrV1RB/RfKsT4lFfkcUc0MKkgROlw8LNoC0bB8bzB/VK3C+CUsThJuhsatwQsyl//IPvIX8ZzANk0iKigFrvBZrol6ROq44z071UM4JGblK6Eykk+RlMjlSIJVpDAXBLoFfophcOtI1CcFkH0edMsoCHv1IcdkR8BpG2hyORHt8laEarcWoaC7e835PSdCouDiTWczedVBIvCileqkg/rTtMmyrTljyU19k0dmtcjyIDiIqosNNcqDssRqe0xgaZeuQ0YdbdzsCqlIXpdt3PL+2B1TNrBkt/KTFtgHWZlg2HjCbAN6ui4lDaFzxpHlIW6mjIoi+btV3Gm4vgDbkJJ/OY3LgZmykZeWdwp8aLnG/KNC6RnkS7lYmkCIi5y2OqJHuQuJr9tqmUP/R6neuC92nAeCRkMmLpQ4A1vHVmqjjbHDYXrBWTNTORRMs3q4YQJHSJ01uBWdTLy4o896kerrpqBD76pAhseUPje0nm0mTzLSvqX4bJ0Zx7TdI65L2Ddm7dIohNLQkQuk5EYa9pghGVVQFkWoP/DDtVAjsnip3IOiwGuHPyXV1seGG/RYNQI0jNEm46fKkbSdtkCpa1zEVjuvN7igr+DVHxiJ1DMAiYZnpjefhMsPg5eHBWBBGLK0dZLwKfPn/MD7IqSI+ShTpdsdKbK2swnRdAq+nYjMpnYspK1aO2rki7XV1w9iORRxq0YTwlL2odxCtS0nDqv0uabQbFlBmogv34ZlOXs5/jFdYw4UTfUT+qquVeadMpn8bE55AgIJkhUgYTWUqHMi2rSSdUZIV8j0aVrdEL60OKetRfs9PqjJKTxV1Tc+fz8/nEna/INjQ8ZQRHGPovxFTdbPUhDVWPEtXyDE59hSKqa9bSbatqS+kSD3EQFTNTSohEmWVuoqFOv3uAFr/JtVPNk24pGZ1SUe6+6CewhP6D7ltrzbr2KakmI4VOgZ3hqJ0MmxX7EAtOROYeFIYk1zUNDchEApkNnyCEAVl7pMagIi8H7LA5QtJOjSKQ/tT6AWKZ3ERQFylT772LkBcNTAsuYsM2h86JUZnpz23Pj+xpxMBsYZBXvviaOlD8/A17wRzApptemtRevfvyzKNp0/qIF7LzUIDGFgSkBt8BjYIuXsgsCoskbQg2mpA7esCtMFXI255ZXEJgcW1tSdKh371ms6TXTG40rOSgzJuunP7Cr9o3WLXnRynxl1wB9pjOIGFqJJQWqsjRPkOqnOFAau9O5bPlp6zPFf/+qdWOi1dncmZwAZuzrFbcJb9FT6nH8sYYRW+DTgPmCMN7S7zrPSdx7XhqV0ktMVbyYc8AufGwKUVWhwXLgMSmJplI7tRt3daVXSdTMKzs09BMXsx3M3duC7t1UYXyjgN57Lxn1VkRLSmlbl0gZoFFd/Q6XwRXVTL7NPrN/8oueKmgjrR7fHunm2eENeB9X/5Paf5V+lAtLUZ6dmfLDNZWEk1+STpK906tXecOqtxCTVuCuyRs0i2wz+Ethz4opIQj5tbRmVlZRFTdCb4c3Q+wFkEajN6x8kkWxyHCbj0oieCj1IYkot+KUp0kJkwgGiHXUYT4gDEyyHiMNoTOHzejxUWvuzB6RiTJiQoo/LIWanln6bUFnurCEKrCmznKpmpoopI2G38pXYt23EK8DXMuDNXujT+KtFgHYZNxzSaaqRnfGTvidRUw6oXhRNNxFaIe0kcaVdupDxrCmlS4gDVFbTJBgRo7cbGHKQrtxXmAQd0MaGwBdi77Gfzprbr//dqp/mGg6CSWNGq9qgc3ApbH5QJGeZOfFE8oJcaKodR7lBdIjpQaTOOtlg5NJK45Ki4SeyoWlpc8uaHRIwinAGqcA4UkPnpytfMrZnlHNDwmWFbk4+sllJtcgYGbIbh8VbJJD0/m0ltFASRDmsCeW6oM6kWiFrWElTSJEWAz1qa5ZewUZK+zfB3ObtbAniFkg24fsUvHx3zGXNDDWqtXaBrvXq8neMV8lHMW04wzVLWP8f7DYpTF88SLe8HxBRV10rQ4eT4iJKbgmp/RjE09JXUDTElw/BUyUKIss5fen3AL8Wo3Z8s9Nli/8RK/bQNmwvbJRuucbiOsONOTgC3YRoWt6njioaN5h5z0rqYnkwD1xckmzON8E6hpvq/WXF+EbpMCr7OHi1VqJUQsDUDnSRH/AnMoprgHfA+CgcM5yyCFrOnWDlr4KajgbzYvKoWuNk3d+MQgdQkNkEv0h8r0YO3FrdsPX2YIdmq9dEKSqQVAA68V301qzK0m5OCDx9pEUtHdYVQqqBfP9fRBKau6c1DRIV7+TRtdODkuMjBNArlErdE7F5ueBZL7XCwy/blFSd/nmZgCEtZBsJqU05NfCEi4sbYefFX9oyYDx1PG1rbNMoEPDWFcVCKlATW56ckU/Mdfq/sy0HwFtSZdC2cvyPCkAaG+yHLy4UpBuxQhvp68NrCzPEN9in9o4C2qH8tsXOa4lemBNClrdaKRFZhijuIyRSxyYx8LhpgHVTTOj2z44NnHp5Vacw264ECsWw+4mP2VdXHnW+52e4861rhTK83QQy/hlwUSJijeAMGP9FNVlC0QJ458neGrRcbPdnAn3ibZUBTCFDPsGbaRnfm1o0L5C97NuIIS7W6ulgMRbNRETUZUVeDUkaNbveLuaCb9kszVLpgfq1ZBpv/t7cn4hUcNm5hm4FFoMT4w3Sys+h2tslnH1SCrXuArIeHd/+3Qflbnp8gkRC87Dg5z6QR0o54UHcVghBB9wkJEEb8bMP9KSvX7HaO6y8O8hlwfLW1nDWi2QOYbX3iAVLoagxopKAbaKK6Rpqi9Pg5y7HjF9Hq0Mvmg5DzkptX9FlQvenompaHRTWsy/2AlDQYRs45tCoqDRkgThltHMi8GX6q2xEWzbpq2K6R5iw4+sXSv3S/CtLThxgfLfUejvWm0ApP3ps/BiNNgaEShBAtwL2a0+a/euoUWHcA58iDyTRJSSURqoiloO8KocB9ZhWBltgSYls08cHaJuslvBIOLHquhSMQL9u3C1xkzfnhUaVPDbTx5GyKhhc64hoQ+/MfwaxBzo9faACug3LYrUF2oEZsF6ozw5+5aFuLFnD7+/bVHfU0Y0dLGlpklQcGHQd1660s3m9j2SDGCd4HO0IN0gIuE+wMBE3ZPV2o6RYnVBa4cz4+oezFw0tiJ2LK32ktsANMxnCXa1gnE4Q1QDVBJwp2umNZuehAxrPxMDEfnR4S6YqU9mFu9hbdNy1F7piRbU14G1W+10sgRndq2w/vuJmjEWZImVIXlfCWNjDwPciohvcPQ17mXxnuhIM3ZF4OA6iQSS2Vpeto6cyOohEy0cZLLBRNbmYURYqJ7A6jaWUekSI2oWrM4lEyR3bhH9+lEriRNOqDvmu6uUnUt57wU9zimdhNhyL4awG12ZqCsmR2X7EF1zWs7V+KQ9J0lA9unK+Xx2qG+KmyQnGMOqTn16/Lpb37NqrlWGr8WT+DIWMBSLWgHczFqbEpLgqDHLqjsMhSEgZvirIVDrKIg7Tghk4y6d+2+nki2b9JqDRRqH/kpigYE13JkSqAKhIk1g6gCsgK85EfuRldFYu46SlmgHiylzU+17b31b8BxMWkJ7iQcO7EWhXQPagxFyiUK8UhJhcLnPjXDlMPkAe4ocP1CKCrJ/jpDzRU63ugoulZpb9U0Yil0jy9IPe5XRCPPA85+aRWryMxsh+0MnavSk7rufrEiPcO6ybdP3fzk/kExCKJH5lbuDlgXY4JCEKksMvksByfYwXeQ+6d/ee1QXxVU2o0xrNQ7Wn5UDHzDdpS6QE+cSVoorCd/5BWp0zA0usJ0j+dQcgRzXIMn9peZO9WOqziJVsZhnDoQQf6cYXKWaKgpxQlUTDEd5sqNn0uN3eZ+dAuJKyLdpyq8CL/sg5yJ+cFsVY/9ItBnVE9gKhin8E3V+iK5ZUAgi+J1WudR5EwW0U+pHioVGvkC+DG3j8Ne1qWOocN8nD/0W1ngmg2UR/pbNgLQavqo7h0nh/FgtwewtVVSfB+vTe72lkS7Q5wVK6seUnAanuvWwQ2qrBx2xz1NFwESrnRTdBRk97DGibAoLTWPuEWLd1TyIJiWkb9R8i9NUcN+fPNWsARA1lxaqMeICoRWu1ysT1gVJhQmWSBTbgYpBV7dLgT0Q2m0Z0NfSRlGUXvhD8vHMleoSEGmSwQiRbYyUL6pzBI0x+tQjeouA5123Q1NrTzK3Zc9aZNCPl26N6raWGI9uJUedUimocLVCvC+Sd+QKmjTND84DiPUAB8r27ZeJ/6o+ha47Dufx3Uyql4glQBUCaXlKZ6J43AtREr2e1T+ulmD9J2rAKiWVXC8GtdkldJV2cG9CJlMhEVYChfdoAvihkJ7EiLn+ye5bZL1GCBqhCewWP8AK+5WYT18kmCYNDEjT4vioD4RY5Hj4BEE0VoCQDcWfEWcLuk8p01Jdc0r8o//6bU/fV0YXk0y5485p+BOkZPz3YZHXtKqj/3jJ/JX7k0be09v7t0MdaRPj/j9OFViPH6O1E1UcQebDcipfv9kk2e3YMTfpE6ngSKEJpkEWIJAVVq9kaUoKpyCWp5VROz2GrehTGbBvMn+2vsToVxrFKdYTgr1rJUILh8uAZPT5UjT/kSJ7cxNEJ3QwZ3QBzsQLBRbqrGNZnai8Gx7AvoSm7hIGnwOvqhLBiWbwZo9lWOfteh+I0Evtx13D8A5Xu/dMT4EskNMwn75XfYbht1hHJCNLfUcGmR664QqWNt5vuWFsDhG6Y0KH3saszSVn0mXDIxtfk8DBUseKzbNJ1Jv7dQkyEDzEZqS4nqX/IqjfsHw83997U5fGW6IUat48/mjAHGSIqYsBu8f84iaW9aPRwtjqKptudx8ySjJ5qEfJKqEVwTrCS4DIfpSm2SixnwlYyo3dxAYIDpbSwqtOX4qFp3d4VZk1mCCaaxn/OHoS116HOsf4pwQWAo5/coI8I91x0Z7wV9lTplAtuQKskr0KaKGa3x6/7PpmJHPZhMXqN2NjttrcFeQYivEmblSr6qxvxuakNS6Jx+XrIpmsii2dDetVIIQb5dIJmJOI9gKUQ7e9aYiKWryNsGAXoTySiwdKCoyCAY/JclpGH7jAQa7ygSR2eKp4q12howze6tMOADMK+6uGIFY4KNB0osd+lisSLdr/suTaIa29pR+21kpa6Aprc4geIJafxJtKWE0eDnHmFfwUsrqgBLYJGp4RWTmt6rzYFIyiJBWNdQQC4YEe5B3EVSNJEYs9FgkOTRLnBlUcyZFprQ4oDc0F5v7IveVsbXIlCkJtlgaJjkV8MFYzUs2itxIkPpCRPl+suUtlLBLyFSj7gPrFKJjLl4pzbO73u6h8P7uUU4UrzFJJdaPN+wZLxFDw6Ji202aNyrCQeI4TEP9KbVniAmKVXGaVyUSZv02Nf1jlRdyUW7wXjw+t3WxGiueFyLdjqur3rsJbEGZh1nCbCksHGSkUy6JTorl1r92G5n6jTyMyZUtmEaZuZYh80/abL0AFCu+bwLzCn3SWqqFTXYDN4ZBtwAyvEKA+oQ5Gi6FK5vgRSCpTATvogW+XBzl0F4hhGh4TogpLNevXpWSnnQu8lJrA6xfgVpJEW+UmLjtUgwhYLUu7i4q06CpzzurvfaypuZFLXXNkPoEM69uU6LSZHqUoumKh6YEd32ihVKzBtuHfv1rJoYalglPpB2ch2XYsb+lMQSE8puiRPT74gl9D1MwTcrZggQqoQk1CY0ivU2HIUl2GbpazPPQ2Ty7GSDV9jLQs1a9qKwPp0WLOcX8RqHp1tnCygr+rloinICiCRZvi0QIDOtD54Vmiv9b/Euxhl+yHJqkd2h3QBWH8yY73JSRtLF2peT+9hd8OmxzdWbqnUJV78zHpxBXwh2AMs91s5bR/s2hIMwjsKPn+dAPFBESLqseS6qeFwDc77t2eFIgXry3Fkx+z1c5a6+mKnRvBWY7IMNWJT2vD4aP3GilSFi45vkavLEviY8qBJPxAVK1nCQLqall5GxiiSfbA+glQtFE4d5A0c0QZOxLNd+sERDBICADvw1XaGDKZExaXSpj23ww4cw5tJBGCWlgeddnDXgatf2F0q2Oi0L+EECJhq5eCZj2WnnnIRL1QuDC8/A4WKjo3myWuil6DGhAdyhAYUCmWDHf5nzXdo1lQ2mVgjSeXoAnzWRT3iWprASoekCE36V//rovRP5SCIaHLTD9e9r1YiOMjZAQTsDQ9eBvt3Zzf3M8dxNq7gS2y+jZBL2GL/oqdBstZTx05pMeie1K3BERYd2EB0B3OTOSBr+aJDOSkws9RHNpXbLZQJNpZ072Viuu7sprl3ZgV1xKWq2A56p4j7OEQ+inwACNBDE0ZFsodgunRQUkF8vQ69uBuvZ8sqfCI4rkdrpdd5c4i6qmU4KnwN33LO7kdbEQIPG8c+BNsOIuiumSbh/NTIhuifUNMdtMmIpuvMZlqsQrkkfm5RaKGeS2IQ4ywNIFpZpMRu39IRGZePB1V4U4OBUsSCqBM5UZAuLWdovoidOxeGW6twkLnVO5TAB9tBNB8AcVf/6X//7amb462JYlNGCDt1e0oGMNgttgjp41klD0iole1800petwfSgW80PCCgbBTsKpXEWRddWOR0fTlJKOj+Wpb1Bys4W4FYpq1xWCT+5PRKdrl05UDzveRFm0yCTVMyl01l4HAZ1FXeS8EpSWrizAxqcfTTHhiWa1EDbAo15hJE8RTmgJAoFRlFZYBZMf9spsERbVrFI2ZW5CDR7aqmHOpoIbvQrwoDwDLRfJwkPqhytTbALlNqtatxlJ8N/n11pStiFfApOWxa0EqRu1rEtmzIjWFwlKrIyZDvDs7uf3AJWgCMAyfeU9z1faRajQzBEK1Cuxam6cUqGLVFhY93/6bvfyD9n9LA1C3/dgbV1+SvKUQI3p8mTAjMQrtUTZMQmrZA+q28ssklz/mUYsE4sVuijCxsbqXK7EStXqs+rmemL6mVoWIko3QAXWOR7lFMWz2cVRSE5vsAJw2MliHA3s0k+B6FMqWwSYGbj0SvdIVTmCrhJaRvjFaAX4IhMjtHKHBVCGVio1qfm4rZ1kz8xW7EhV6rnJBI2zK6soSSvOwaDPJoP++qYoYGVYL0BcLVt0IgsrwI6NcJc4NMVkuqCmizALkLCjyDatTbgHzBIy61MLKbQK5hfFt9U0sdwfN0g/zYcJFuZ0k6XfuyLELoKA5Ciu1AdGcAtOAW9AycfP/+O1J31LEMyl7jR+N03U70z4xRgUVQghHo4ct+qMION8nFStB+RLOeuGYirUH5RUCe4u7H7sVg7paANRynawI97rNrRp2BrCDgvxxE7daZ42nJvs0GjHhohwSKlUWoLkAVqjcaqxk1PDdY+GrryQoKVF+4WlI/rIFk13pI2geZJQQrsGdQbLCMQKaWtiJYoN5wG/k2i1/HzX5CFVeLzrQKmg2Z8F+DthfPgsdAw1EbVgBeEBuJ3vBOi0MdRj6FVpPRiqLkNfa661EdEwukB3lIY7yusXIcqYSaNTYOUV3kTf50bzcvZtc63OqPLyyybVfdtQ8cgwJxBlOsMiNB7fP6ZTSCNnqHmgv3Rbf2lerZFy8uRCzdMaj5TMlR4VxcpAdXAjwSAngaiQJ6d5PfjNu4/U9lqyYHKKG6CWHT+vpAFoqfIRw2Yqqznj49euQ+JdZvBYfIoNgESS2kfcbPRDr21NTeTGt7rG3l19gvMlaahg7vzCzSAQLGFW1eTVchpkoE9BLJ7K12CWc9InlKlntwmv2FRhaZuuoX5qeXDXwoTeAKr31MhDTlfHCoye67V50isNqy0vxmrHaTY+tO5AZxnrRoQBAzfjNPsvhuzRVRGCps0/d/55y+uYxlP0UHnBc6PtKkWGaK8ZTEq68XgZKacGqthUBgdc+v7pSwJbU1TZ3gKT6kXj+YKdgag0EDTD5jfKpHBZ9jUGpeqseXXULHlSicjNLv2yNPOSwIxF2pc9oqQyONMEtkeSC2mdqhrUokocry4LAXOglToHj1+rGv1GZadbe+AxIj7qkvtqAatkQaQCRi+IYemohsenjrFO2iKMvh+QVtNJCqtn5jzCTu2oLhk9d0sJzoP9JC3GTSkioAdlFnb/QkC6cdWzHFHtU0yYLq/kd1C7vJr9+T3OgHUdXHY1focwDFKRFYws6BFnR6t0gGYajkzI3EWRrEQ30yvULptdRDFs+h+P8rYZRU7L1i0r1dEN3jJ4//G7XqpbwiISDrv6Mr5djS8gTllzk+soz95eUCuq5/Ayc+sIkxrHvWeRvKLVeNEKScIVx4nZvWHqrlpKSkDPPi8BOSvRYm+uYSr5PH8so9y0EwMspM5hHoYxRKaoYrUsmfIrhS7TyOyAGVexlReQHeMf1poEd0W7iPotmypiIuweyRJAYuV6nXbb5TpKXrz8dnpEZ6B1nWNmyjmB1oyz7iYiNS+FYzCUHVK+6b+/G1AhtNIl76Z0Lbs9BP0X+ipUGw2S48CiN03USp03MeRw+26Ts+QsJQ10Em4U21JgYKk2BWw1isVH3lnHCboZ5lwGlDi5kcbF1RLwMy9oWL26f8uxT5pE93z89LWfQv6VQFX9rZai9QLv5JNYPfUB+F03pQoFdYQZLyIC3mGw/2gZBKmmvMYEdqUMq8VJSsrYM9JffW/m9KMTU2vPckv7m9DZyRwGbwBuJ0TSnTiCXUfsBo+V+YwuUkuYRolEkJ5DhS0gGw+s2lz9gsAZky2505LdIYtZ1Xt41fDit93km11hEMPUuOspm6i/dhC5lkXLoIez7tK+umEAsHA16StcZU9eUxCotWk2fIHD91ClYcyoNQS4wxcOOqPA8s9mFoOcyB+yVsHd8y2f//aJLuJI/2zh/IYyduRsYYISVxNRFZU07lXWTAwFcd3sHDDgNVrRNOiFmoBKA+f2+T+/dqNvDDq6TLVe3b30SZrhUA/i9PkKsZkJkKA2Sd6oSlqzr6K0dJlyfLL2UdxP+HO+Sa36IrpIYlfPdGljmBVc90ZsxBKuWE4iEXVHusqm6g0Wek0FFjcyehcBowhTbjie6jvJVLxx1iq7nuJjGq4ykWhFdBMisyGpHqNx1nwRonrE0Hh4BE0VaPytz5QUKJTiO+lw91zqWUxMxEb+cYak4qyknDQaP2Js4HmGv4Khd+JIdZz2NxDh0FNXsKRiM0RzPDQMg40pmhWfRypp90xWRqhMktUbjEjZWUuMjsqtpFDAUrL6nFEMJuJm3oWMsnCadYwC9JpOEFD1Uwu1Q716okrdEFD9/NM/v3ajbwyuPmyZGjUM0GbuRh5EJ544SfmeJhPTuM9WWJES5dUbCtwhEGdULKZNMs6D6FddRBHdRD/Tg160rTZIKAlD19vlHY5lVlDaTrOzHeEcaozFtUJRnzjT7+xKIkeMM7ZCEhnDaSlSKTfqvbbqEJbYcMlF9ddd1bPlZHYOf8hFRcNjrgWv9hFfYvQJ1XvJo37SskGwJbxyuJzY4GSP3hBxMcVYXXlitTACemzmi8YsGs1zso3Ll8olNpQEFeXR6KAK8RnEXuejm9wDFKBeCcRux5AUpEIX5EJQasfRnHZd+mMNmvWNwCky9G3AGZyxBMRkFeVLzy4cUhCgmnNSVk0LXxX8WFzGtVCN0PLx8x9fe9G3Bp0HziY1qVzBKuSx5m82UILN8Ib2QuE2tAcubpz7Cs/Ln7CuUVBFpqT+TI+tWbaiDpUf7JFQfPYPqoIkK8mEFnFEUCpJHU7JyKKC2W4RQq/VxOQsdBi5mh5TQNeOWtsgq30cXMVSvgrZ0ZFchQ24anaN1CV72xqeDvnyTRFR5+RUQDuEYLn1B4ekoidRl1U7LRvrflrhYlZ6sOMoS1eU+OT8RShz40G+pG5SdiyO642wVAXpvMccwdhZ4tJ2LyDqca+WqL21RnvEGFlVo6ss9cTyjJj3AGAUmSK2iZ3d0R3XMKt/fZ6vEmJU9cSEq7KiltuOrwyNM54htMvoLtg///Sv/+W1F31rSEuqV1qgkRRo2rj7oVxKwkKD9uydbC9YWzHlHRzSFdT5yCReQrN9pWasnanohCLlSKKMzobOUx5mKCRryuLOaya2eMvblX4y/Wa/S3DvkgZbzsewiyRIPLcqU65lOToQBSRfAl1MgOnBQvDY21IFe7rLSkp6C+I4Rbx0yQNSle10VIC6BFTfiMOTdTEZEUsMtwXBIXPuDEa92nd6weSQOyEI9gwe3PedFFaQ6QZy9oAcyzcCKkUXyWnHozBB+yXrFlJvovSclfT6Lqne35MxrvDQRAGJynyUUiLrdfkL5hA/xdxMsps/F9Tt+N5kz1mZO/X/EEbkSC2dU2x5/PzT/3ztRN8c4JCZUlxflk4QGJI0txbFVXNlRS7lKSJ4WESC8Pe4TtEq3vAXFTRIOfRhKt2T6pbDwiGWc2/Hp5PSIOaIZHOJqyfTgoC0I6AC+kAuavfgxfBP2DJVof63WOcN+JducLXx1np7W/i49/EINSKsaGez3SY5N5vaxgcq6DppaLQT31h4wJdp6IVv2x+xpVvxKEnNZhKJLlcngRQe7vVXHJPEm7WWyeN3WpWJww+Tf45+mG0nQ6ZCBzjSlETDkYT8mLYhR0w3bJDqOtSxSqjzysegDY1NFb+Xv6n7Nw0QYHBBqbY1fpv8Ujk/ARTEdWYuh/WawVFkiog2KCrV76L0ameC4jmkhU0d4/HX37ZS50BjHc4Cpy39KhFLd7RUklYbROQ4IPz6lLdLPSb1KH6IT7CZuMy1pKFy/XlMnVzprlde97zhr/qcBg2BUja3OAsgXsGMFssWOeSmjCFc99/NCitOis9RzmvUjjlFe2nI3ZrWXSILmMCCf5lBhxXv7MoGNtPHtXfRoaUjw9HDe1hnhgWRaLbGwh2rqi9KNh+3ORuZWiSQks8WdEhct2a6Jzc0eM0EiME1OoN8CCuPMUvqFU+Lxe6atqlByCHjkvtAW4UrthwG/IreHGPFskm3cIBDna6tWPN+0xj4s/XxR87bjZy2WzV10XV/OaPqkppuipuxOkEGSgj81j0pFbJpRopPdBV81jhbCZFVXg7RBw3/V6iTLOdZcJOsUYVW39ozbzTViOaYiqBsZU1aaU8xqLQa61JlZuv9Ljjs0NLqb0Oh4goImWgJZSwwWaG66LdxnFmOn97Z0VKyJBgZeiyIAZJvOTS6Ys/+7MWS05c55Fg4yOz91f7++LhXn6tk7EnpO7t5xukKMgjag1325/BYNObjKOl1jy+jLeTbWaSCZMihgGFxs8qLX9VC5kp1T1QPXg1wcaBoqCAhekqCEZRioUqoGkmWsXPdO/6MD3kOaC6BUbI6QRd09TI44gQYnktvU5bV23h+UNUqp8pTQ5DsEDGa7VYQYP4JCbGAl5Q+X/vP94XZkoS15H/oy1+G4xXSDvR/fkPRC74nIq7/Pz4W5dnhZCAiyTLvnewmknXZpOclFRukywmKvNzeYQSAbqbEn4Tu5A6nliAxeEr2UOYVvC1Sa2rvkRUAEmMUL9ipU1rDUPLHssnB11gNVlBQsu4O5hHEOusUMviMAeWTgC2ULsx1P7V3gmDI8+wuy5ZLd9ZQS0mi6drta1NYOoXj8qeLjhz1jrxwSZU3rr5s4gtgxtaa7QKkGyax8TBAbnHS/V2HuAhCPwruOV1vB4UHegbyUzoqpp9P1PlcGgWoH3+FSj+UgtYVng/xIu5EGogK09JzKSxXlZLURwWv/ef7gkRVcNDU8Z4N7M0OWjZBZa4e9ut7oklWOTnvoVaa7YvLWX9ZNCeoLOWVJME+ln5aSCuuOmJpvbOTJ1+cIZM4QQASHrWQIQ1ZVjNRKqT5NqqJ/ChIFn419FoSGgRoNPCg5gbHZ0tuc2KoggydzHe0uoALTIPTppv6kF3au+X1wIqHQhOI4WatMo2Ic8i0ZM6r6FQU/OB+CnfsG6i3oEnT/CtjI446kGjA3jVDUw7qo787LZxzstQymXlZLUOvCHXPP+mp7tEhKrA0d7Dyp7nuGYkIg2pA+awRiUclFmA1Od/QcM2gUbCHiIqLH72t2utK+/wfX/vP94VqUbQZw4eQw3gfsWxmzHZ7cOHTVBQFO4yuT6MXHq3RUyyFmKGgC2U1SVymhdl7Nex44+D/8dK6s/jFDgJCts+FvpW9Z8SyngEwUwj5So6gCWTxRiq/LjYQc3oVbQvQWkJrwBRDEl1aJFtGhsZKazBb816+ge32Qh6bL4z6adA6BOvSzZ5do5gegcN4h8rEGKIty740WxBrMJSRnasehQ2ovAEC0irLjUEThd0hVUR9itZUqmcX565mA6WSPFxOYR2VXXIwdWUBFXpINAQu5LK2vcLzI/BKfayEIUiS2v3Jj1lWoVgcCYCDRcDqXPy6caFaRQ3mjo/LsPL/vnaf7wzAdxqmgnQeKu/Zm/KNob3GHdPyT6uoAJHIO6AHUTUBPJWfIxTOuOFz0JykWCLSFCfMByJR+8FC/+RXM7VrYstQjZYXtDxrtsDuWHyKmlEjR5PdIN+WAJYgfT4xAfjC0iNEH+CZUt2/y7BxsCReQDw+hs6ZSk/L1ryS4E0VTWIf0vY1Xay0QfpCWmJVFJLgYWqlcgG4AMO/WGStZ10lha1dNoHsbfouqhSVMt38Fj5kJAJjd7U98sKE+iZzqryUFLWinGbuKhP5rcAA/1x8Bh7153+JDO97ukonzXG+gEK7ZJOAmSLmbmnSGZSqzTs14e2k3746XmE0Ood8HRHtdL9r0+7+szhnG993iy/3/EGzPaOUcfFZuE+OCXQLThSIaKzFPSkx8BLvI0QI4a5t658XOauMAEZs6b32ZmmioNjCSIFeZz+7jMeJW78sUYEBKp1yz6jfe/f17KwqqNmf6stIA2/RkcdZAK65rN+8wmhRUfNNmFE7YCv/FdKSrd/Hz7EoJDGbsmXQl1JS3tIcxolYwENXrCqmW4C+J5MgLxt2arLqLS26w8Iq63qaHoKqapM6BPUyG4LCJrFxWoGbQVnWB2Oj3wObNr2YYeuq1kdpr5Dw+ZE9FafH9O1GL6PcfjfJfVW7Q6eGKeyxI95fNQnluVdFCJB9e3z3kWBfBFtnWwdgKVGstq0SGMBJ6EyZIvDlUiLz4e5Ya9JfOLapAik54q0GHyKl267GsuEgZRWrCj2HZYt51s6JDERTzWUantokmLFd88RZxKkBFOkYj+14Pj/bfsBGHM2U0WheP7pP/lQUABSEQEh1Ii3JI3l590Ha7hGPj6U4ip5pJlau7yqD0Q96WSLTwHPcRhhk0irbtHbDZ7eFLFwlLHGmDGJj8JexzEqJhqQ4Iv5NVUWUf/KNIlG5m63Q0JcJbgke+DM1glOtw46FZ5hvyhwYe4EgQaxr72uDggJX2GlOorNyVYX51b6gfk+zgKpKivr6sxY2SoqFZlURqQqPP/7ba+f57qD6YtG22NzwZmiOLfoqGRQXnV7nqFsvaV77GqvUWofSA6sqWHSLUaHWXTq6hdtTl0oTqTZB4CGMQ9+cU1zs/mSMUaGmBYMLH19IMCoCoYCuFAKN5/YwUA52ryME4vXBJDIESBfCSKSwpilZvhUd7R1ZG2t1mNx+L92kLa6rtEeZtirqctTsWqecZ5JUF2/7kd7hRTxnSRuQQKsUz4uMugvpb523NIAu5rpg5dxm4nxRA8FeHoDsqvy4aFoGSqpnEqzGY8KAkpeC+Cg2uBYKTiMrtSWCIO0UbL8QHgVxLGrAWIIhq9f1o/xv2UoS++CB5ZTjzRQWbeaKpglsOJkB0GBae1Je+873B+MmmTAHUDxwCaHVEyknnacBZzGkBMEs2wwqWuVAC8tRS5ppA2mswIv3kbQibTFGsYYCRTzU5KdaADtxG6wjXbtn8d+ePj+s4Tohqsiq5cLJ5gr0PltB5OZQy1udVWAQVZw7Ce+qK2cXhSxqq1QMDoCTn2+2qSljn0F3VtK6pFL/TErkCu8VKYpA4IQjk/alcnTOTCRMVSkvAl2ZFQKGKXtCQpTtipaZqxx5R0A56BWbcen+FVb63nEA5RhgBkDViGwD3zL8tSboAssE46gl3E2L7K/7ZabiuASiUkOxqIgz//+Cm1NEaKpuuDjSHoabDBZwxXjQUs2gBn9H/9JzmPF8AUDSLDGTE69HQyhx7B6kgFBl4s1dtd5fw33WmjtUq3dh9tuOZKu0NYbGqaC7Y1ibXJW5x9Ryu+DOKkq6HtkpqAiLeDI4RREmbEWnLT1W4yVM4LcmFFWy7TQdklgm2lKTh25TSWzzFUYAoE6lesg3Hh+6GlVICWug9F7tjKM19kbPfRNSbNcf4HhbxRGC0O93fwCBKqzSXXtPks4hJsYkUIw5Lbi99/e6VW3Jb+tcHHxC95NCARVwjSuYxARtQfVZex4KfEXElaBfU7JcEW6VJVWWTIQ61St90Y8xPdoBnSEbCzdRXvDWE2mzUqVzsRslsa2U37PPXb0uWgc5kOHZ+2wpYa3vTNOsPuLlX2ktJl7q0K0M1wT/RbDH+5/N9b4kHHEiOC+ZoDV1ipeOjhDH4slAoSB3z2EmXvOY0bEmjZRxIlZqKoW6TGU7bB6Fak+NgVbDLcIGolu3J3QWA2NzK1jI/KzdKajJ4GsKniRA1wzTGDNkGOn45HOpVVaYPQcx0wFnMWk3staDxn7db65yn97L/+XRqDrMTAJEfXFZHuuNo6aaTIIXDlw8vsGWvtWItAWPB/L+5KQfxojOb0IiXlSHPtnVeABzFZPCjhbnqTQJ6lqFSkCJMEh9TWI6/Q1TXipyEC8PQZTtkfVWttw4EeFsCvq9Mr92nN8UsqxyC5giz2fJQSv8tbS75FLXM0KiZOk5O3IeJhNhfWXFFwX1sMalXYT10G8Qdy034v1icI68EqBnu1vqqLJwmAO7r+VbCpGBmyOO+71S9VilCf5R/Ct6jwyaXNbhaqCXKgnB45NhZZNKOJ4whW6Gxs8VLdUBipMvwT1laoi9pBSaHmz3Fw7RM0LfUpg6M6iyQWm7odyUciqr592LgWcC6PeZ71BRb0dU4nj+0GegJHVSO3CI6BoId+GC1kQW8yM8KWDdDKkLKiJG68MugTuhUXNZCnYo+zZxroDWrwqeP3jpT5fGJ7iQVT1yQbyI8vP3fR3y14KbUpdHRL0nrkL7EZbVMyLKS1SBdBIArnpYGBpcdt3l5XG2hrKN577kq7wUdOHmT0UIIsV6XMH+8oHpgPZQvmfZnu9xYJOiGqvSeveLpBS44HcBYlp12njBe2/hV1csZOTLuW0Hq2wSYx5scC8IP/vbm2zMta0VVCd1MA+hRqfR8PhK+VpVEamC2Bqv5qupFBgMq7fqeQhMACMiHsvcICKilHlRet9RMEzwB/dUUao1FTVgKNWmRJlep0sTJKNyUkv3PWUxRZpkEWzq2vf35+ntozzHzYk7AcnEDd2Mzx/1i89bfdU550bXCMWZGTZ23xZ7A8G7Zq25M1esWhfprRuiERWtn8Krx288neg1FCTdqDnqs3805hDPCz6DaExM3+gtUWy4rDJ76oIkpagBIjIKQ+p6sxz1WOBnyD0NBr7q84mpPmwqDxmb3jkqmCXmFtXO24mLBOvW6wrKE+Eiyci+v2N7Ihm6zKMwr/A4vM/jAk6T25ZmOmvJqXUxJXlqv5XQQEiuAFNJ7iQzFzmtHDIr9P68nj7rzFHUgaJC0Yi9q4Z39Axho7/wwwxOXe+zV1Xw0VrLWI09cgUP1FM6q+CTF91bk4m3LdWasZptKM3Y5tlp7sNDEyhxN/z9p+ylqbXNiaOqZsThW9cn8ueRypT7xKWzXntBVRRS+1ryYI426a2Mx+N3nUlRKB1CC0cGUArrdWt5LMqmI+6iUIDbS3sv3bFKVWUQU5HNZTJP6bqUJyaClFSmcd+uxRlyvDHKyRjATXMilMtP++fHQxz1nBk62mMjHwAjJIRuDStLZkYLQ6neftrr0GdVDVQK4mfuaCc5rrD/pad/HI1E5Huk+naLEy7Q9LEHUJok8S/9mIaQcmqVmudVjZ4NXDdR8Da3aU3+UV9Qgbz8VNbNZOHGJD61mFdVlU3jn4t9Ejc40byrwRuxYy+JUPPDAxPXbTfHdfJREfMV9d7iRnWsApk3zkzdpAWCHl8mue5NGpmwRLHE1d4EZeaUCljD/8bLIaw7TXEyiSy/yzt1a1CLbB7sqYDqEoKf//4VYyNgwBYM4ga3NUHvkiM6Y2S5NOqs+EgjkXYqtmC5zH1pZn4rPVYDSsVotYvT9C5jEWuj2O4Ih15Z9vvutTdQQwG1Z/BsLtRX0yQ+JO5c4Kf6F1K5ZVXoj5VmYByAaseHI5TUlvDsvSlD5m6xBqxvLXRMgUYFSWeGWGJR/rJp4hwOPVUbc70zLeVTqVNXKFklyC9Y/YpEU0Ksd13uZQquoSju0JIAm8TJ1NFaKvVM75TH0UcZwxrUuXCDlAT/QKYyWBbSorADKFbQkd/bAh4jJd+qqJj70PjnlHwLBJNiVvDYfuvhl78QXH+AEmFDg1MbsmIbSIWYgafMkCxOivqNhDkQFZ2n/l3MCHq4Mq3oidy6tLRKZ5o0ok37lyJwTJpIFYPlAtZu5zxSZFZfmv+69sAEHixLCIBpKLCO5vmYgwloQfZdXqTjPwgmuj9DSNfmEqvEFMRUqOt4fCyX6TSyG/iAQYEowc9wmaHghrRODdbqrgVL01eZgzfpttln61fZtsh9KS41C3X3x8ceX4qn2m1qE8N4e+BcCpbSB5nmhv5q8ERvKi44HJrwzizTFjIr0ZYf7vnLQfSyIayUpVFDw/iQztm70x3nnKte4OlNAPZ+kgZ4TEqzWLgxWkkTxdyg4HuimKm7cv1Ob/eswUSa0oSe10fZBBx33e8EYGvjKapbWRUHlIWHIKQp2b9KsTNPYXStO/lhJ6TK1L5hggFKTXw/sBKa/ps7gdOyPz1+PGZtUQZhZwGoGQmU4anpnj6ykem6YAjGi90kTtXdo9zgRn8nOZQ6kVXYCGVcFzpEXavIXkLm6gYog0Cel6OJbDiOjLI9VMkC2MxTcGlQyji0qlLz9GvqUTKgo10KYqV/0PE3UkrVV7zJZ92ZRYC5+i1+wC/fKSIgDX0Z5xFOCIKeQMTchNYLMQ97H4LLarHSqDaOjYh7/fxFROx0ITJFI3BZpQ11JYhlfnifT5pSXuGO39lVXACcr33mtwfDbYExyaoLCQakJThXh0M5GBWBO7FluU6/yhhtXLzOPtKW1O6nETui0hk9dh6sG1LhUOeYBodVGCdYOU6WhBvlkEtrpAFJvmVIsw+S43L2OcWE0kmtyiQOqVUXpFRCRNM2EEqxeeX1oyJjGm89rDS14Rm2GYq6shGepSVa82vGQ7nlMdii21lzm1XBVHiOy5Z+7pYxEHUd5RM8P6gfRyDbidiCy4iNEA2lQ9hYqarqxXfwBegqZT473imewjnZtUYiukZ3t9kM+pzWpFokUO2pWLXopXBrVKpXA+nJE2wHxcYd2Ki51/rdhY6sMmnDng+3LvoryKxlRBm8bOd//NN/e+0zvz2IEEGpmbTIsX/ycOdwc3SOcjpGWKKmpFmLFU46Uk92SSRY25FA5NK8Ip3gQ3ZmqHYNr1PGh7nxYYp40qqw+/DUtxSXTLoEkNPnraD1fSLnaTUiUk1UWvMu1iuNBmS/n6QAsFrOHjkRvKA6pGb06TVDZW680pZEi+qoCcYT+yUoCh9BUjeS0WkDm7XRB3K6jIqZe3UMp5weWn58PiSIu9KjVsjlX0hg2oDFCm1n2Zv3oy2SymWRFyViTSJ9WDoA13/BwtTlBlQFrq9i5Zu9X7LDXORFT6H/tIU2aK44lJ5pF0RPTdeKyFQ3Pv/xd3u9ZwluMc0Yvgpvsb+AWOdNSaxax0kXmVuc54GiSZrLwJB6zOZUF0htNL0f8wvR1P3BmFc7hPbfe83OzJvw9sDHYzhudw28GX9as3swMo650WNoFW5u+1DpzWCk02Jn9Oq1oo3FDa24tpTovmXjIHI0fNfYxi/IrFgZLJNBD5YHCVxYwqXVFAGu1EPj77abIUAgLAWsjXRXkBy1AaLgOWtLo68i4pCbWfkJB0O64GahHZnaBQKVuH723Se8KA6MVHv2WTZFFFQ3mtlQ7Cpd5KCvNxEkjTGcrqENbAWIwjBUv3iKTqg8HljsbKtLXNwPqGN5bTuhuz/+2+89fUko0My00tpNZxAr375j8YdxmYz4lDaxqoi2lbic2Wy/9Rw9l3LsSKkD7v9sN0s5JI7lX4f05+gjUu3bAq8sjBqxe7DI/gyOm5XZKNHBUJ22IU5LBm4MVaEfeMXQ3MpAJsXaPiuFZN9sUtgVlimIKqQIRWectBCYatjHXCBRSjdKpmpAp011pqIRPchyE9sjokh/R/QVNNdCdefzo7eV6As7032vEOMsKQ/LOF2gtFM3Wd3fGPBkrUQkTxQm0cYJLB/aY4M0uIYJAhjOFoxF6nL/NGH0eqYqGPVOx1pI6HMctw+nGdW5phI065qcCZ1sLv6e7xmsoXSygj9rk56uOaOCSeJuVckce+9kVmx7L7MPWUw6peN3phG4aWcfg5+citTRwBN3wkUebd1cIjluZqN9gdsNkMSPhhXpvmdFGi21hTOXCDaL6Onm0JixCTapPOLKbYJy721wjGHWl0eEaGsoh67L9aT/BIAIniVyCPBUpp+W745Z4Jp2CCD0RkpRAxiKMjJPh2ZdJ4ZF9WBxll3ha3A1rqs+FZ8t93Yqs/BmRBAaCKd6QHI/s2PSJ2M2fQr8of1BmUA1FogFOAdw1Vq9ERlcAz7IsHpRUsyXT9dMIx7XaVlZPwx5ZajNhLTB5DMr5BFD4W1g/z+sGRD+H0pfJGdR580GAAAAAElFTkSuQmCC) no-repeat;"> | |
| <h2>CIS Debian Linux 11 Benchmark v1.0.0</h2> | |
| <ul> | |
| <li>Level 2 - Server</li> | |
| <li>Monday, October 10 2022 08:10:29</li> | |
| <li> | |
| Assessment Duration: | |
| 2 minutes, 9 seconds</li> | |
| </ul> | |
| </div> | |
| <div class="introFooter"> | |
| <p>Report generated by the Center for Internet Security's Configuration Assessment Tool | |
| (CIS-CAT Pro Assessor) v4.22.0. </p> | |
| <p> For further information, please visit <a href="http://benchmarks.cisecurity.org">The Center for Internet Security</a> or our <a href="https://www.cisecurity.org/support/">Product Support</a> page. </p> | |
| <p>Copyright ©2022, The Center for Internet Security</p> | |
| <p>Content generated on 10/10/2022 08:12 AM. Content last obtained on 09/29/2022 15:34 PM. </p> | |
| </div> | |
| </div> | |
| <div id="detailsContainer"> | |
| <div id="summary"> | |
| <h2 class="sectionTitle">Summary</h2> | |
| <table width="100%"> | |
| <col align="left"></col> | |
| <col align="center"></col> | |
| <thead> | |
| <tr> | |
| <th rowspan="2">Description</th> | |
| <th colspan="5">Tests</th> | |
| <th colspan="3" title="urn:xccdf:scoring:flat">Scoring</th> | |
| </tr> | |
| <tr> | |
| <th class="pass fixed" title="Pass">Pass</th> | |
| <th class="fail" title="Fail">Fail</th> | |
| <th class="error" title="Error">Error</th> | |
| <th class="unknown" title="Unknown">Unkn.</th> | |
| <th title="Manual">Man.</th> | |
| <th>Score</th> | |
| <th>Max</th> | |
| <th>Percent</th> | |
| </tr> | |
| </thead> | |
| <tbody> | |
| <tr> | |
| <td id="summary-d1e2131" class="group sub0">1 <a href="#checklist-d1e2131">Initial Setup</a></td> | |
| <td class="numeric sub0">45</td> | |
| <td class="numeric sub0">14</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">3</td> | |
| <td class="numeric sub0">45.0</td> | |
| <td class="numeric sub0">59.0</td> | |
| <td class="numeric sub0">76%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e2136" class="group sub1">1.1 <a href="#checklist-d1e2136">Filesystem Configuration</a></td> | |
| <td class="numeric sub1">20</td> | |
| <td class="numeric sub1">10</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">20.0</td> | |
| <td class="numeric sub1">30.0</td> | |
| <td class="numeric sub1">67%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e2154" class="group sub2">1.1.1 <a href="#checklist-d1e2154">Disable unused filesystems</a></td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0.0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">0%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e2529" class="group sub2">1.1.2 <a href="#checklist-d1e2529">Configure /tmp</a></td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">75%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e2896" class="group sub2">1.1.3 <a href="#checklist-d1e2896">Configure /var</a></td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">2.0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">67%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e3134" class="group sub2">1.1.4 <a href="#checklist-d1e3134">Configure /var/tmp</a></td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">75%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e3440" class="group sub2">1.1.5 <a href="#checklist-d1e3440">Configure /var/log</a></td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">75%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e3734" class="group sub2">1.1.6 <a href="#checklist-d1e3734">Configure /var/log/audit</a></td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">75%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e4050" class="group sub2">1.1.7 <a href="#checklist-d1e4050">Configure /home</a></td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">2.0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">67%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e4299" class="group sub2">1.1.8 <a href="#checklist-d1e4299">Configure /dev/shm</a></td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e4628" class="group sub1">1.2 <a href="#checklist-d1e4628">Configure Software Updates</a></td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">0.0</td> | |
| <td class="numeric sub1">0.0</td> | |
| <td class="numeric sub1">0%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e4694" class="group sub1">1.3 <a href="#checklist-d1e4694">Filesystem Integrity Checking</a></td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">2.0</td> | |
| <td class="numeric sub1">2.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e4897" class="group sub1">1.4 <a href="#checklist-d1e4897">Secure Boot Settings</a></td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">1.0</td> | |
| <td class="numeric sub1">3.0</td> | |
| <td class="numeric sub1">33%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e5083" class="group sub1">1.5 <a href="#checklist-d1e5083">Additional Process Hardening</a></td> | |
| <td class="numeric sub1">4</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">4.0</td> | |
| <td class="numeric sub1">4.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e5365" class="group sub1">1.6 <a href="#checklist-d1e5365">Mandatory Access Control</a></td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">2.0</td> | |
| <td class="numeric sub1">4.0</td> | |
| <td class="numeric sub1">50%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e5379" class="group sub2">1.6.1 <a href="#checklist-d1e5379">Configure AppArmor</a></td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">2.0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">50%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e5562" class="group sub1">1.7 <a href="#checklist-d1e5562">Command Line Warning Banners</a></td> | |
| <td class="numeric sub1">6</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">6.0</td> | |
| <td class="numeric sub1">6.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e5920" class="group sub1">1.8 <a href="#checklist-d1e5920">GNOME Display Manager</a></td> | |
| <td class="numeric sub1">10</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">10.0</td> | |
| <td class="numeric sub1">10.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e7270" class="group sub0">2 <a href="#checklist-d1e7270">Services</a></td> | |
| <td class="numeric sub0">27</td> | |
| <td class="numeric sub0">2</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">4</td> | |
| <td class="numeric sub0">27.0</td> | |
| <td class="numeric sub0">29.0</td> | |
| <td class="numeric sub0">93%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e7276" class="group sub1">2.1 <a href="#checklist-d1e7276">Configure Time Synchronization</a></td> | |
| <td class="numeric sub1">6</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">3</td> | |
| <td class="numeric sub1">6.0</td> | |
| <td class="numeric sub1">7.0</td> | |
| <td class="numeric sub1">86%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e7303" class="group sub2">2.1.1 <a href="#checklist-d1e7303">Ensure time synchronization is in use</a></td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">1.0</td> | |
| <td class="numeric sub2">1.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e7476" class="group sub2">2.1.2 <a href="#checklist-d1e7476">Configure chrony</a></td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">2.0</td> | |
| <td class="numeric sub2">2.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e7738" class="group sub2">2.1.3 <a href="#checklist-d1e7738">Configure systemd-timesyncd</a></td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0.0</td> | |
| <td class="numeric sub2">1.0</td> | |
| <td class="numeric sub2">0%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e7974" class="group sub2">2.1.4 <a href="#checklist-d1e7974">Configure ntp</a></td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e8425" class="group sub1">2.2 <a href="#checklist-d1e8425">Special Purpose Services</a></td> | |
| <td class="numeric sub1">15</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">15.0</td> | |
| <td class="numeric sub1">16.0</td> | |
| <td class="numeric sub1">94%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e9108" class="group sub1">2.3 <a href="#checklist-d1e9108">Service Clients</a></td> | |
| <td class="numeric sub1">6</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">6.0</td> | |
| <td class="numeric sub1">6.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e9424" class="group sub0">3 <a href="#checklist-d1e9424">Network Configuration</a></td> | |
| <td class="numeric sub0">33</td> | |
| <td class="numeric sub0">6</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">6</td> | |
| <td class="numeric sub0">33.0</td> | |
| <td class="numeric sub0">39.0</td> | |
| <td class="numeric sub0">85%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e9502" class="group sub1">3.1 <a href="#checklist-d1e9502">Disable unused network protocols and devices</a></td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">4</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">1.0</td> | |
| <td class="numeric sub1">5.0</td> | |
| <td class="numeric sub1">20%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e10049" class="group sub1">3.2 <a href="#checklist-d1e10049">Network Parameters (Host Only)</a></td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">2.0</td> | |
| <td class="numeric sub1">2.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e10465" class="group sub1">3.3 <a href="#checklist-d1e10465">Network Parameters (Host and Router)</a></td> | |
| <td class="numeric sub1">8</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">8.0</td> | |
| <td class="numeric sub1">9.0</td> | |
| <td class="numeric sub1">89%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e12074" class="group sub1">3.4 <a href="#checklist-d1e12074">Firewall Configuration</a></td> | |
| <td class="numeric sub1">22</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">5</td> | |
| <td class="numeric sub1">22.0</td> | |
| <td class="numeric sub1">23.0</td> | |
| <td class="numeric sub1">96%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e12102" class="group sub2">3.4.1 <a href="#checklist-d1e12102">Configure UncomplicatedFirewall</a></td> | |
| <td class="numeric sub2">6</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">6.0</td> | |
| <td class="numeric sub2">6.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e12520" class="group sub2">3.4.2 <a href="#checklist-d1e12520">Configure nftables</a></td> | |
| <td class="numeric sub2">8</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">8.0</td> | |
| <td class="numeric sub2">8.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e13192" class="group sub2">3.4.3 <a href="#checklist-d1e13192">Configure iptables</a></td> | |
| <td class="numeric sub2">8</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">8.0</td> | |
| <td class="numeric sub2">9.0</td> | |
| <td class="numeric sub2">89%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e13201" class="group sub3">3.4.3.1 <a href="#checklist-d1e13201">Configure iptables software</a></td> | |
| <td class="numeric sub3">3</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">3.0</td> | |
| <td class="numeric sub3">3.0</td> | |
| <td class="numeric sub3">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e13379" class="group sub3">3.4.3.2 <a href="#checklist-d1e13379">Configure IPv4 iptables</a></td> | |
| <td class="numeric sub3">2</td> | |
| <td class="numeric sub3">1</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">1</td> | |
| <td class="numeric sub3">2.0</td> | |
| <td class="numeric sub3">3.0</td> | |
| <td class="numeric sub3">67%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e13651" class="group sub3">3.4.3.3 <a href="#checklist-d1e13651">Configure IPv6 ip6tables</a></td> | |
| <td class="numeric sub3">3</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">1</td> | |
| <td class="numeric sub3">3.0</td> | |
| <td class="numeric sub3">3.0</td> | |
| <td class="numeric sub3">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e13919" class="group sub0">4 <a href="#checklist-d1e13919">Logging and Auditing</a></td> | |
| <td class="numeric sub0">32</td> | |
| <td class="numeric sub0">15</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">9</td> | |
| <td class="numeric sub0">32.0</td> | |
| <td class="numeric sub0">47.0</td> | |
| <td class="numeric sub0">68%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e13957" class="group sub1">4.1 <a href="#checklist-d1e13957">Configure System Accounting (auditd)</a></td> | |
| <td class="numeric sub1">23</td> | |
| <td class="numeric sub1">14</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">23.0</td> | |
| <td class="numeric sub1">37.0</td> | |
| <td class="numeric sub1">62%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e14068" class="group sub2">4.1.1 <a href="#checklist-d1e14068">Ensure auditing is enabled</a></td> | |
| <td class="numeric sub2">4</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e14285" class="group sub2">4.1.2 <a href="#checklist-d1e14285">Configure Data Retention</a></td> | |
| <td class="numeric sub2">2</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">2.0</td> | |
| <td class="numeric sub2">3.0</td> | |
| <td class="numeric sub2">67%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e14471" class="group sub2">4.1.3 <a href="#checklist-d1e14471">Configure auditd rules</a></td> | |
| <td class="numeric sub2">8</td> | |
| <td class="numeric sub2">12</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">8.0</td> | |
| <td class="numeric sub2">20.0</td> | |
| <td class="numeric sub2">40%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e16826" class="group sub2">4.1.4 <a href="#checklist-d1e16826">Configure auditd file access</a></td> | |
| <td class="numeric sub2">9</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">9.0</td> | |
| <td class="numeric sub2">10.0</td> | |
| <td class="numeric sub2">90%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e17298" class="group sub1">4.2 <a href="#checklist-d1e17298">Configure Logging</a></td> | |
| <td class="numeric sub1">9</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">8</td> | |
| <td class="numeric sub1">9.0</td> | |
| <td class="numeric sub1">10.0</td> | |
| <td class="numeric sub1">90%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e17358" class="group sub2">4.2.1 <a href="#checklist-d1e17358">Configure journald</a></td> | |
| <td class="numeric sub2">5</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">5</td> | |
| <td class="numeric sub2">5.0</td> | |
| <td class="numeric sub2">5.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e17380" class="group sub3">4.2.1.1 <a href="#checklist-d1e17380">Ensure journald is configured to send logs to a remote log host</a></td> | |
| <td class="numeric sub3">2</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">0</td> | |
| <td class="numeric sub3">2</td> | |
| <td class="numeric sub3">2.0</td> | |
| <td class="numeric sub3">2.0</td> | |
| <td class="numeric sub3">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e17929" class="group sub2">4.2.2 <a href="#checklist-d1e17929">Configure rsyslog</a></td> | |
| <td class="numeric sub2">4</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">3</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e18587" class="group sub0">5 <a href="#checklist-d1e18587">Access, Authentication and Authorization</a></td> | |
| <td class="numeric sub0">45</td> | |
| <td class="numeric sub0">6</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">1</td> | |
| <td class="numeric sub0">45.0</td> | |
| <td class="numeric sub0">51.0</td> | |
| <td class="numeric sub0">88%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e18591" class="group sub1">5.1 <a href="#checklist-d1e18591">Configure time-based job schedulers</a></td> | |
| <td class="numeric sub1">9</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">9.0</td> | |
| <td class="numeric sub1">9.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e19215" class="group sub1">5.2 <a href="#checklist-d1e19215">Configure SSH Server</a></td> | |
| <td class="numeric sub1">21</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">21.0</td> | |
| <td class="numeric sub1">22.0</td> | |
| <td class="numeric sub1">95%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e20619" class="group sub1">5.3 <a href="#checklist-d1e20619">Configure privilege escalation</a></td> | |
| <td class="numeric sub1">6</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">6.0</td> | |
| <td class="numeric sub1">7.0</td> | |
| <td class="numeric sub1">86%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e21096" class="group sub1">5.4 <a href="#checklist-d1e21096">Configure PAM</a></td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">1</td> | |
| <td class="numeric sub1">2.0</td> | |
| <td class="numeric sub1">4.0</td> | |
| <td class="numeric sub1">50%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e21613" class="group sub1">5.5 <a href="#checklist-d1e21613">User Accounts and Environment</a></td> | |
| <td class="numeric sub1">7</td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">7.0</td> | |
| <td class="numeric sub1">9.0</td> | |
| <td class="numeric sub1">78%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e21618" class="group sub2">5.5.1 <a href="#checklist-d1e21618">Set Shadow Password Suite Parameters</a></td> | |
| <td class="numeric sub2">4</td> | |
| <td class="numeric sub2">1</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">0</td> | |
| <td class="numeric sub2">4.0</td> | |
| <td class="numeric sub2">5.0</td> | |
| <td class="numeric sub2">80%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e22537" class="group sub0">6 <a href="#checklist-d1e22537">System Maintenance</a></td> | |
| <td class="numeric sub0">28</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">0</td> | |
| <td class="numeric sub0">2</td> | |
| <td class="numeric sub0">28.0</td> | |
| <td class="numeric sub0">28.0</td> | |
| <td class="numeric sub0">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e22542" class="group sub1">6.1 <a href="#checklist-d1e22542">System File Permissions</a></td> | |
| <td class="numeric sub1">11</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">2</td> | |
| <td class="numeric sub1">11.0</td> | |
| <td class="numeric sub1">11.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <td id="summary-d1e23219" class="group sub1">6.2 <a href="#checklist-d1e23219">Local User and Group Settings</a></td> | |
| <td class="numeric sub1">17</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">0</td> | |
| <td class="numeric sub1">17.0</td> | |
| <td class="numeric sub1">17.0</td> | |
| <td class="numeric sub1">100%</td> | |
| </tr> | |
| <tr> | |
| <th class="group" align="right">Total</th> | |
| <td class="numeric bold">210</td> | |
| <td class="numeric bold">43</td> | |
| <td class="numeric bold">0</td> | |
| <td class="numeric bold">0</td> | |
| <td class="numeric bold">25</td> | |
| <td class="numeric bold">210.0</td> | |
| <td class="numeric bold">253.0</td> | |
| <td class="numeric bold">83%</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <p class="caption"><b>Note</b>: Actual scores are subject to rounding errors. The sum of these values may not result | |
| in the exact overall score.</p> | |
| </div> | |
| <div id="profiles" class="profiles"> | |
| <h2 class="sectionTitle">Profiles</h2> | |
| <p>This benchmark contains 4 profiles.The <span class="bold">Level 2 - Server</span> profile was used for this assessment.</p> | |
| <table class="profile" width="100%"> | |
| <thead> | |
| <tr> | |
| <th width="20%">Title</th> | |
| <th width="80%">Description</th> | |
| </tr> | |
| </thead> | |
| <tbody> | |
| <tr valign="top" class=""> | |
| <td>Level 1 - Server</td> | |
| <td> | |
| <p>Items in this profile intend to:</p> | |
| <ul> | |
| <li>be practical and prudent;</li> | |
| <li>provide a clear security benefit; and</li> | |
| <li>not inhibit the utility of the technology beyond acceptable means.</li> | |
| </ul> | |
| <p>This profile is intended for servers.</p> | |
| <div class="profile-action"><span class="action" id="d1e219_xml_button" onclick="switchState('d1e219_xml'); return false;">Show</span><span class="caption"> Profile XML</span></div> | |
| <div class="xml" id="d1e219_xml"> | |
| <pre><xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" | |
| xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" | |
| xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:xlink="http://www.w3.org/1999/xlink" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server"> | |
| <xccdf:title xml:lang="en">Level 1 - Server</xccdf:title> | |
| <xccdf:description xml:lang="en"> | |
| <xhtml:p>Items in this profile intend to:</xhtml:p> | |
| <xhtml:ul> | |
| <xhtml:li>be practical and prudent;</xhtml:li> | |
| <xhtml:li>provide a clear security benefit; and</xhtml:li> | |
| <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li> | |
| </xhtml:ul> | |
| <xhtml:p>This profile is intended for servers.</xhtml:p> | |
| </xccdf:description> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.1_Ensure_tmp_is_a_separate_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.2_Ensure_nodev_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.3_Ensure_noexec_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.2_Ensure_nodev_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.3_Ensure_nosuid_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.2_Ensure_nodev_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.3_Ensure_noexec_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.4_Ensure_nosuid_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.2_Ensure_noexec_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.3_Ensure_nodev_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.4_Ensure_nosuid_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.2_Ensure_nodev_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.3_Ensure_nosuid_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.1_Ensure_nodev_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.2_Ensure_noexec_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.3_Ensure_nosuid_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Disable_Automounting" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Disable_USB_Storage" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_bootloader_password_is_set" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_permissions_on_bootloader_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_authentication_required_for_single_user_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_address_space_layout_randomization_ASLR_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_prelink_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_Automatic_Error_Reporting_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_GDM_disable-user-list_option_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.8_Ensure_GDM_autorun-never_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.9_Ensure_GDM_autorun-never_is_not_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.10_Ensure_XDCMP_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_a_single_time_synchronization_daemon_is_in_use" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.1_Ensure_chrony_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.2_Ensure_chrony_is_running_as_user__chrony" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.3_Ensure_chrony_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.1_Ensure_systemd-timesyncd_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.2_Ensure_systemd-timesyncd_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.1_Ensure_ntp_access_control_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.2_Ensure_ntp_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.3_Ensure_ntp_is_running_as_user_ntp" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.4_Ensure_ntp_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_X_Window_System_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_Avahi_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_CUPS_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_DHCP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure_NFS_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_Ensure_DNS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_Ensure_FTP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_Ensure_HTTP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_Ensure_IMAP_and_POP3_server_are_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_Ensure_Samba_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_Ensure_HTTP_Proxy_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_Ensure_SNMP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_Ensure_NIS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_Ensure_rsync_service_is_either_not_installed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1_Ensure_NIS_Client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2_Ensure_rsh_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.3_Ensure_talk_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4_Ensure_telnet_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5_Ensure_LDAP_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6_Ensure__RPC_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.4_Ensure_nonessential_services_are_removed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Ensure__system_is_checked_to_determine_if_IPv6_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.11_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.1_Ensure_systemd-journal-remote_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.2_Ensure_systemd-journal-remote_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.3_Ensure_systemd-journal-remote_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.4_Ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_journald_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_journald_is_configured_to_compress_large_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_journald_log_rotation_is_configured_per_site_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.7_Ensure_journald_default_file_permissions_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_rsyslog_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_rsyslog_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.4_Ensure_rsyslog_default_file_permissions_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.5_Ensure_logging_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_all_logfiles_have_appropriate_permissions_and_ownership" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.4_Ensure_SSH_access_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.5_Ensure_SSH_LogLevel_is_appropriate" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.6_Ensure_SSH_PAM_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.7_Ensure_SSH_root_login_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_HostbasedAuthentication_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.10_Ensure_SSH_PermitUserEnvironment_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.11_Ensure_SSH_IgnoreRhosts_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.13_Ensure_only_strong_Ciphers_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.14_Ensure_only_strong_MAC_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.17_Ensure_SSH_warning_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.18_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.19_Ensure_SSH_MaxStartups_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.20_Ensure_SSH_MaxSessions_is_set_to_10_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.21_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.22_Ensure_SSH_Idle_Timeout_Interval_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_sudo_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_sudo_commands_use_pty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_sudo_log_file_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_access_to_the_su_command_is_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_up_to_date_with_the_latest_standards" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.5_Ensure_all_current_passwords_uses_the_configured_hashing_algorithm" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Ensure_permissions_on_etcpasswd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcgroup_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcgshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_no_world_writable_files_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_unowned_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_ungrouped_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Audit_SUID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SGID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_etcshadow_password_fields_are_not_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_shadow_group_is_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_no_duplicate_UIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_no_duplicate_GIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_no_duplicate_user_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_duplicate_group_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_root_PATH_Integrity" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_root_is_the_only_UID_0_account" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_local_interactive_user_home_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_local_interactive_users_own_their_home_directories" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_local_interactive_user_has_.netrc_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_local_interactive_user_has_.forward_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_local_interactive_user_has_.rhosts_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_local_interactive_user_dot_files_are_not_group_or_world_writable" | |
| selected="true"/> | |
| </xccdf:Profile> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e219_xml', false);</script></td> | |
| </tr> | |
| <tr valign="top" class=" selected-row"> | |
| <td>Level 2 - Server</td> | |
| <td> | |
| <p>This profile extends the "Level 1 - Server" profile. Items in this profile exhibit | |
| one or more of the following characteristics:</p> | |
| <ul> | |
| <li>are intended for environments or use cases where security is paramount.</li> | |
| <li>acts as defense in depth measure.</li> | |
| <li>may negatively inhibit the utility or performance of the technology.</li> | |
| </ul> | |
| <p>This profile is intended for servers.</p> | |
| <div class="profile-action"><span class="action" id="d1e474_xml_button" onclick="switchState('d1e474_xml'); return false;">Show</span><span class="caption"> Profile XML</span></div> | |
| <div class="xml" id="d1e474_xml"> | |
| <pre><xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" | |
| xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" | |
| xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:xlink="http://www.w3.org/1999/xlink" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server"> | |
| <xccdf:title xml:lang="en">Level 2 - Server</xccdf:title> | |
| <xccdf:description xml:lang="en"> | |
| <xhtml:p>This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p> | |
| <xhtml:ul> | |
| <xhtml:li>are intended for environments or use cases where security is paramount.</xhtml:li> | |
| <xhtml:li>acts as defense in depth measure.</xhtml:li> | |
| <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li> | |
| </xhtml:ul> | |
| <xhtml:p>This profile is intended for servers.</xhtml:p> | |
| </xccdf:description> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.1_Ensure_tmp_is_a_separate_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.2_Ensure_nodev_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.3_Ensure_noexec_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.1_Ensure_separate_partition_exists_for_var" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.2_Ensure_nodev_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.3_Ensure_nosuid_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.1_Ensure_separate_partition_exists_for_vartmp" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.1_Ensure_separate_partition_exists_for_varlog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.2_Ensure_nodev_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.3_Ensure_noexec_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.4_Ensure_nosuid_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.1_Ensure_separate_partition_exists_for_varlogaudit" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.2_Ensure_noexec_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.3_Ensure_nodev_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.4_Ensure_nosuid_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.1_Ensure_separate_partition_exists_for_home" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.2_Ensure_nodev_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.3_Ensure_nosuid_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.1_Ensure_nodev_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.2_Ensure_noexec_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.3_Ensure_nosuid_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Disable_Automounting" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Disable_USB_Storage" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_bootloader_password_is_set" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_permissions_on_bootloader_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_authentication_required_for_single_user_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_address_space_layout_randomization_ASLR_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_prelink_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_Automatic_Error_Reporting_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.4_Ensure_all_AppArmor_Profiles_are_enforcing" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.1_Ensure_GNOME_Display_Manager_is_removed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_GDM_disable-user-list_option_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.8_Ensure_GDM_autorun-never_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.9_Ensure_GDM_autorun-never_is_not_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.10_Ensure_XDCMP_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_a_single_time_synchronization_daemon_is_in_use" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.1_Ensure_chrony_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.2_Ensure_chrony_is_running_as_user__chrony" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.3_Ensure_chrony_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.1_Ensure_systemd-timesyncd_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.2_Ensure_systemd-timesyncd_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.1_Ensure_ntp_access_control_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.2_Ensure_ntp_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.3_Ensure_ntp_is_running_as_user_ntp" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.4_Ensure_ntp_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_X_Window_System_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_Avahi_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_CUPS_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_DHCP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure_NFS_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_Ensure_DNS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_Ensure_FTP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_Ensure_HTTP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_Ensure_IMAP_and_POP3_server_are_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_Ensure_Samba_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_Ensure_HTTP_Proxy_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_Ensure_SNMP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_Ensure_NIS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_Ensure_rsync_service_is_either_not_installed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1_Ensure_NIS_Client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2_Ensure_rsh_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.3_Ensure_talk_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4_Ensure_telnet_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5_Ensure_LDAP_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6_Ensure__RPC_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.4_Ensure_nonessential_services_are_removed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Ensure__system_is_checked_to_determine_if_IPv6_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.3_Ensure_DCCP_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.4_Ensure_SCTP_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.5_Ensure_RDS_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.6_Ensure_TIPC_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.1_Ensure_auditd_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.2_Ensure_auditd_service_is_enabled_and_active" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.4_Ensure_audit_backlog_limit_is_sufficient" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.1_Ensure_audit_log_storage_size_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.2_Ensure_actions_as_another_user_are_always_logged" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.4_Ensure_events_that_modify_date_and_time_information_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.6_Ensure_use_of_privileged_commands_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.7_Ensure_unsuccessful_file_access_attempts_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.8_Ensure_events_that_modify_usergroup_information_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.10_Ensure_successful_file_system_mounts_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.11_Ensure_session_initiation_information_is_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.12_Ensure_login_and_logout_events_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.13_Ensure_file_deletion_events_by_users_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.20_Ensure_the_audit_configuration_is_immutable" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.1_Ensure_audit_log_files_are_mode_0640_or_less_permissive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.2_Ensure_only_authorized_users_own_audit_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.3_Ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.4_Ensure_the_audit_log_directory_is_0750_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.5_Ensure_audit_configuration_files_are_640_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.6_Ensure_audit_configuration_files_are_owned_by_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.7_Ensure_audit_configuration_files_belong_to_group_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.8_Ensure_audit_tools_are_755_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.9_Ensure_audit_tools_are_owned_by_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.10_Ensure_audit_tools_belong_to_group_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.11_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.1_Ensure_systemd-journal-remote_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.2_Ensure_systemd-journal-remote_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.3_Ensure_systemd-journal-remote_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.4_Ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_journald_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_journald_is_configured_to_compress_large_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_journald_log_rotation_is_configured_per_site_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.7_Ensure_journald_default_file_permissions_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_rsyslog_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_rsyslog_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.4_Ensure_rsyslog_default_file_permissions_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.5_Ensure_logging_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_all_logfiles_have_appropriate_permissions_and_ownership" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.4_Ensure_SSH_access_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.5_Ensure_SSH_LogLevel_is_appropriate" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.6_Ensure_SSH_PAM_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.7_Ensure_SSH_root_login_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_HostbasedAuthentication_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.10_Ensure_SSH_PermitUserEnvironment_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.11_Ensure_SSH_IgnoreRhosts_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.12_Ensure_SSH_X11_forwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.13_Ensure_only_strong_Ciphers_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.14_Ensure_only_strong_MAC_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.16_Ensure_SSH_AllowTcpForwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.17_Ensure_SSH_warning_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.18_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.19_Ensure_SSH_MaxStartups_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.20_Ensure_SSH_MaxSessions_is_set_to_10_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.21_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.22_Ensure_SSH_Idle_Timeout_Interval_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_sudo_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_sudo_commands_use_pty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_sudo_log_file_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_users_must_provide_password_for_privilege_escalation" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_access_to_the_su_command_is_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_up_to_date_with_the_latest_standards" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.5_Ensure_all_current_passwords_uses_the_configured_hashing_algorithm" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Ensure_permissions_on_etcpasswd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcgroup_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcgshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_no_world_writable_files_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_unowned_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_ungrouped_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Audit_SUID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SGID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_etcshadow_password_fields_are_not_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_shadow_group_is_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_no_duplicate_UIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_no_duplicate_GIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_no_duplicate_user_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_duplicate_group_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_root_PATH_Integrity" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_root_is_the_only_UID_0_account" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_local_interactive_user_home_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_local_interactive_users_own_their_home_directories" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_local_interactive_user_has_.netrc_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_local_interactive_user_has_.forward_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_local_interactive_user_has_.rhosts_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_local_interactive_user_dot_files_are_not_group_or_world_writable" | |
| selected="true"/> | |
| </xccdf:Profile> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e474_xml', false);</script></td> | |
| </tr> | |
| <tr valign="top" class=""> | |
| <td>Level 1 - Workstation</td> | |
| <td> | |
| <p>Items in this profile intend to:</p> | |
| <ul> | |
| <li>be practical and prudent;</li> | |
| <li>provide a clear security benefit; and</li> | |
| <li>not inhibit the utility of the technology beyond acceptable means.</li> | |
| </ul> | |
| <p>This profile is intended for workstations.</p> | |
| <div class="profile-action"><span class="action" id="d1e788_xml_button" onclick="switchState('d1e788_xml'); return false;">Show</span><span class="caption"> Profile XML</span></div> | |
| <div class="xml" id="d1e788_xml"> | |
| <pre><xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" | |
| xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" | |
| xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:xlink="http://www.w3.org/1999/xlink" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Workstation"> | |
| <xccdf:title xml:lang="en">Level 1 - Workstation</xccdf:title> | |
| <xccdf:description xml:lang="en"> | |
| <xhtml:p>Items in this profile intend to:</xhtml:p> | |
| <xhtml:ul> | |
| <xhtml:li>be practical and prudent;</xhtml:li> | |
| <xhtml:li>provide a clear security benefit; and</xhtml:li> | |
| <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li> | |
| </xhtml:ul> | |
| <xhtml:p>This profile is intended for workstations.</xhtml:p> | |
| </xccdf:description> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.1_Ensure_tmp_is_a_separate_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.2_Ensure_nodev_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.3_Ensure_noexec_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.2_Ensure_nodev_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.3_Ensure_nosuid_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.2_Ensure_nodev_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.3_Ensure_noexec_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.4_Ensure_nosuid_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.2_Ensure_noexec_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.3_Ensure_nodev_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.4_Ensure_nosuid_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.2_Ensure_nodev_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.3_Ensure_nosuid_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.1_Ensure_nodev_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.2_Ensure_noexec_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.3_Ensure_nosuid_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_bootloader_password_is_set" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_permissions_on_bootloader_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_authentication_required_for_single_user_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_address_space_layout_randomization_ASLR_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_prelink_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_Automatic_Error_Reporting_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_GDM_disable-user-list_option_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.8_Ensure_GDM_autorun-never_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.9_Ensure_GDM_autorun-never_is_not_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.10_Ensure_XDCMP_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_a_single_time_synchronization_daemon_is_in_use" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.1_Ensure_chrony_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.2_Ensure_chrony_is_running_as_user__chrony" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.3_Ensure_chrony_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.1_Ensure_systemd-timesyncd_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.2_Ensure_systemd-timesyncd_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.1_Ensure_ntp_access_control_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.2_Ensure_ntp_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.3_Ensure_ntp_is_running_as_user_ntp" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.4_Ensure_ntp_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_Avahi_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_DHCP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure_NFS_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_Ensure_DNS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_Ensure_FTP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_Ensure_HTTP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_Ensure_IMAP_and_POP3_server_are_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_Ensure_Samba_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_Ensure_HTTP_Proxy_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_Ensure_SNMP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_Ensure_NIS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_Ensure_rsync_service_is_either_not_installed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1_Ensure_NIS_Client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2_Ensure_rsh_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.3_Ensure_talk_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4_Ensure_telnet_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5_Ensure_LDAP_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6_Ensure__RPC_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.4_Ensure_nonessential_services_are_removed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Ensure__system_is_checked_to_determine_if_IPv6_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.11_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.1_Ensure_systemd-journal-remote_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.2_Ensure_systemd-journal-remote_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.3_Ensure_systemd-journal-remote_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.4_Ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_journald_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_journald_is_configured_to_compress_large_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_journald_log_rotation_is_configured_per_site_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.7_Ensure_journald_default_file_permissions_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_rsyslog_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_rsyslog_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.4_Ensure_rsyslog_default_file_permissions_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.5_Ensure_logging_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_all_logfiles_have_appropriate_permissions_and_ownership" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.4_Ensure_SSH_access_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.5_Ensure_SSH_LogLevel_is_appropriate" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.6_Ensure_SSH_PAM_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.7_Ensure_SSH_root_login_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_HostbasedAuthentication_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.10_Ensure_SSH_PermitUserEnvironment_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.11_Ensure_SSH_IgnoreRhosts_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.12_Ensure_SSH_X11_forwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.13_Ensure_only_strong_Ciphers_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.14_Ensure_only_strong_MAC_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.17_Ensure_SSH_warning_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.18_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.19_Ensure_SSH_MaxStartups_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.20_Ensure_SSH_MaxSessions_is_set_to_10_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.21_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.22_Ensure_SSH_Idle_Timeout_Interval_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_sudo_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_sudo_commands_use_pty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_sudo_log_file_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_access_to_the_su_command_is_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_up_to_date_with_the_latest_standards" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.5_Ensure_all_current_passwords_uses_the_configured_hashing_algorithm" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Ensure_permissions_on_etcpasswd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcgroup_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcgshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_no_world_writable_files_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_unowned_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_ungrouped_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Audit_SUID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SGID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_etcshadow_password_fields_are_not_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_shadow_group_is_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_no_duplicate_UIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_no_duplicate_GIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_no_duplicate_user_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_duplicate_group_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_root_PATH_Integrity" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_root_is_the_only_UID_0_account" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_local_interactive_user_home_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_local_interactive_users_own_their_home_directories" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_local_interactive_user_has_.netrc_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_local_interactive_user_has_.forward_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_local_interactive_user_has_.rhosts_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_local_interactive_user_dot_files_are_not_group_or_world_writable" | |
| selected="true"/> | |
| </xccdf:Profile> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e788_xml', false);</script></td> | |
| </tr> | |
| <tr valign="top" class=""> | |
| <td>Level 2 - Workstation</td> | |
| <td> | |
| <p>This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit | |
| one or more of the following characteristics:</p> | |
| <ul> | |
| <li>are intended for environments or use cases where security is paramount.</li> | |
| <li>acts as defense in depth measure.</li> | |
| <li>may negatively inhibit the utility or performance of the technology.</li> | |
| </ul> | |
| <p>This profile is intended for workstations.</p> | |
| <div class="profile-action"><span class="action" id="d1e1037_xml_button" onclick="switchState('d1e1037_xml'); return false;">Show</span><span class="caption"> Profile XML</span></div> | |
| <div class="xml" id="d1e1037_xml"> | |
| <pre><xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream" | |
| xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" | |
| xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:xlink="http://www.w3.org/1999/xlink" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Workstation"> | |
| <xccdf:title xml:lang="en">Level 2 - Workstation</xccdf:title> | |
| <xccdf:description xml:lang="en"> | |
| <xhtml:p>This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p> | |
| <xhtml:ul> | |
| <xhtml:li>are intended for environments or use cases where security is paramount.</xhtml:li> | |
| <xhtml:li>acts as defense in depth measure.</xhtml:li> | |
| <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li> | |
| </xhtml:ul> | |
| <xhtml:p>This profile is intended for workstations.</xhtml:p> | |
| </xccdf:description> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.1_Ensure_tmp_is_a_separate_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.2_Ensure_nodev_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.3_Ensure_noexec_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.1_Ensure_separate_partition_exists_for_var" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.2_Ensure_nodev_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.3_Ensure_nosuid_option_set_on_var_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.1_Ensure_separate_partition_exists_for_vartmp" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.1_Ensure_separate_partition_exists_for_varlog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.2_Ensure_nodev_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.3_Ensure_noexec_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.4_Ensure_nosuid_option_set_on_varlog_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.1_Ensure_separate_partition_exists_for_varlogaudit" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.2_Ensure_noexec_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.3_Ensure_nodev_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6.4_Ensure_nosuid_option_set_on_varlogaudit_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.1_Ensure_separate_partition_exists_for_home" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.2_Ensure_nodev_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7.3_Ensure_nosuid_option_set_on_home_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.1_Ensure_nodev_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.2_Ensure_noexec_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8.3_Ensure_nosuid_option_set_on_devshm_partition" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Disable_Automounting" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Disable_USB_Storage" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_bootloader_password_is_set" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_permissions_on_bootloader_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_authentication_required_for_single_user_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_address_space_layout_randomization_ASLR_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_prelink_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_Automatic_Error_Reporting_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.4_Ensure_all_AppArmor_Profiles_are_enforcing" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_GDM_disable-user-list_option_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_GDM_screen_locks_when_the_user_is_idle" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.5_Ensure_GDM_screen_locks_cannot_be_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.6_Ensure_GDM_automatic_mounting_of_removable_media_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.7_Ensure_GDM_disabling_automatic_mounting_of_removable_media_is_not_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.8_Ensure_GDM_autorun-never_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.9_Ensure_GDM_autorun-never_is_not_overridden" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.10_Ensure_XDCMP_is_not_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_a_single_time_synchronization_daemon_is_in_use" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.1_Ensure_chrony_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.2_Ensure_chrony_is_running_as_user__chrony" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2.3_Ensure_chrony_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.1_Ensure_systemd-timesyncd_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3.2_Ensure_systemd-timesyncd_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.1_Ensure_ntp_access_control_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.2_Ensure_ntp_is_configured_with_authorized_timeserver" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.3_Ensure_ntp_is_running_as_user_ntp" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4.4_Ensure_ntp_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_Avahi_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_CUPS_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_DHCP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure_NFS_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_Ensure_DNS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_Ensure_FTP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_Ensure_HTTP_server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_Ensure_IMAP_and_POP3_server_are_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_Ensure_Samba_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_Ensure_HTTP_Proxy_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_Ensure_SNMP_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_Ensure_NIS_Server_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_Ensure_rsync_service_is_either_not_installed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1_Ensure_NIS_Client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2_Ensure_rsh_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.3_Ensure_talk_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4_Ensure_telnet_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5_Ensure_LDAP_client_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6_Ensure__RPC_is_not_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.4_Ensure_nonessential_services_are_removed_or_masked" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Ensure__system_is_checked_to_determine_if_IPv6_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.3_Ensure_DCCP_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.4_Ensure_SCTP_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.5_Ensure_RDS_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.6_Ensure_TIPC_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_default_deny_firewall_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_loopback_traffic_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_outbound_and_established_connections_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.1_Ensure_auditd_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.2_Ensure_auditd_service_is_enabled_and_active" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.4_Ensure_audit_backlog_limit_is_sufficient" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.1_Ensure_audit_log_storage_size_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.1_Ensure_changes_to_system_administration_scope_sudoers_is_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.2_Ensure_actions_as_another_user_are_always_logged" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.3_Ensure_events_that_modify_the_sudo_log_file_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.4_Ensure_events_that_modify_date_and_time_information_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.5_Ensure_events_that_modify_the_systems_network_environment_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.6_Ensure_use_of_privileged_commands_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.7_Ensure_unsuccessful_file_access_attempts_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.8_Ensure_events_that_modify_usergroup_information_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.9_Ensure_discretionary_access_control_permission_modification_events_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.10_Ensure_successful_file_system_mounts_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.11_Ensure_session_initiation_information_is_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.12_Ensure_login_and_logout_events_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.13_Ensure_file_deletion_events_by_users_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.14_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.15_Ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.16_Ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.17_Ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.18_Ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.19_Ensure_kernel_module_loading_unloading_and_modification_is_collected" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.20_Ensure_the_audit_configuration_is_immutable" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3.21_Ensure_the_running_and_on_disk_configuration_is_the_same" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.1_Ensure_audit_log_files_are_mode_0640_or_less_permissive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.2_Ensure_only_authorized_users_own_audit_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.3_Ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.4_Ensure_the_audit_log_directory_is_0750_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.5_Ensure_audit_configuration_files_are_640_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.6_Ensure_audit_configuration_files_are_owned_by_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.7_Ensure_audit_configuration_files_belong_to_group_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.8_Ensure_audit_tools_are_755_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.9_Ensure_audit_tools_are_owned_by_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.10_Ensure_audit_tools_belong_to_group_root" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4.11_Ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.1_Ensure_systemd-journal-remote_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.2_Ensure_systemd-journal-remote_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.3_Ensure_systemd-journal-remote_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1.4_Ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_journald_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_journald_is_configured_to_compress_large_log_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_journald_is_not_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_journald_log_rotation_is_configured_per_site_policy" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.7_Ensure_journald_default_file_permissions_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_rsyslog_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_rsyslog_service_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_send_logs_to_rsyslog" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.4_Ensure_rsyslog_default_file_permissions_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.5_Ensure_logging_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.6_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.7_Ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_all_logfiles_have_appropriate_permissions_and_ownership" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_permissions_on_etcsshsshd_config_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.4_Ensure_SSH_access_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.5_Ensure_SSH_LogLevel_is_appropriate" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.6_Ensure_SSH_PAM_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.7_Ensure_SSH_root_login_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.8_Ensure_SSH_HostbasedAuthentication_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.9_Ensure_SSH_PermitEmptyPasswords_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.10_Ensure_SSH_PermitUserEnvironment_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.11_Ensure_SSH_IgnoreRhosts_is_enabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.12_Ensure_SSH_X11_forwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.13_Ensure_only_strong_Ciphers_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.14_Ensure_only_strong_MAC_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.15_Ensure_only_strong_Key_Exchange_algorithms_are_used" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.16_Ensure_SSH_AllowTcpForwarding_is_disabled" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.17_Ensure_SSH_warning_banner_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.18_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.19_Ensure_SSH_MaxStartups_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.20_Ensure_SSH_MaxSessions_is_set_to_10_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.21_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.22_Ensure_SSH_Idle_Timeout_Interval_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_sudo_is_installed" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_sudo_commands_use_pty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_sudo_log_file_exists" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_users_must_provide_password_for_privilege_escalation" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_re-authentication_for_privilege_escalation_is_not_disabled_globally" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_sudo_authentication_timeout_is_configured_correctly" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_access_to_the_su_command_is_restricted" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_up_to_date_with_the_latest_standards" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.5_Ensure_all_current_passwords_uses_the_configured_hashing_algorithm" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Ensure_permissions_on_etcpasswd_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcgroup_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcgshadow_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow-_are_configured" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_no_world_writable_files_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_unowned_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_ungrouped_files_or_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Audit_SUID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SGID_executables" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_etcshadow_password_fields_are_not_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_shadow_group_is_empty" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_no_duplicate_UIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_no_duplicate_GIDs_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_no_duplicate_user_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_duplicate_group_names_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_root_PATH_Integrity" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_root_is_the_only_UID_0_account" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_local_interactive_user_home_directories_exist" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_local_interactive_users_own_their_home_directories" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_local_interactive_user_has_.netrc_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_local_interactive_user_has_.forward_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_local_interactive_user_has_.rhosts_files" | |
| selected="true"/> | |
| <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_local_interactive_user_dot_files_are_not_group_or_world_writable" | |
| selected="true"/> | |
| </xccdf:Profile> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e1037_xml', false);</script></td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <div class="backtop"><a href="#top" title="back to top">⇧</a></div> | |
| </div> | |
| <div id="checklist"> | |
| <h2 class="sectionTitle">Assessment Results</h2> | |
| <div> | |
| <div class="outerDiv" style="display: inline"> | |
| <div class="innerDiv" id="toggleEssentialHygieneArea" style="float: left"><input type="checkbox" id="essentialHygieneCheckbox" onclick="checkboxToggled()">Display Only Essential Hygiene (CIS Critical Security Controls V8- IG-1)</input></div> | |
| <div class="innerDiv" id="toggleFailuresArea" style="float: right"><input type="checkbox" id="failuresOnlyCheckbox" onclick="checkboxToggled()">Display Only Failures</input></div> | |
| </div> | |
| <div id="noControls8Div" class="outerDiv" style="float: left; display: none;"> | |
| <p style="color:red; float: left; margin: 0;">No mapped CIS Critical Security Controls V8 Safeguards</p> | |
| </div> | |
| <div class="outerDiv" style="float: left"><a href="#" class="show_hide" id="moreLessLink" style="float: left; margin: 0px 0px 0px 0px;" onclick="toggleHygieneMoreLink();return false;">More</a><div class="content" id="hygieneMoreInfoDiv" style="display: none; float: left;"> | |
| <table class="enum" width="100%" style="float: left;"> | |
| <thead align="left"> | |
| <tr> | |
| <th colspan="2">CIS Critical Security Controls</th> | |
| </tr> | |
| </thead> | |
| <tbody> | |
| <tr> | |
| <td style="text-align: left;"> | |
| <p style="font-size:11px"> | |
| The CIS Critical Security Controls is a prioritized set of actions to help guide organizations | |
| in their mission to protect data from cyber-attack vectors. The CIS Critical Security | |
| Controls are | |
| organized into Implementation Groups, a subset of Controls broadly assessed by community | |
| consensus | |
| to be applicable to organizations with similar risk profiles. | |
| </p> | |
| <p style="font-size:11px"> | |
| Implementation Group 1 (IG-1) is defined as the foundational set of cyber defense | |
| Safeguards that | |
| every enterprise should apply to guard against the most common attacks. | |
| </p> | |
| <p style="font-size:11px"> | |
| CIS Benchmarks best practice guidance help organizations establish system configuration | |
| health | |
| (CIS Control 4). Most best practice recommendations within a CIS Benchmark are mapped | |
| to one | |
| or more CIS Control Safeguards. To help each organization prioritize remediation efforts, | |
| we've | |
| added a filter that allows you to focus on "Fail" results where CIS Controls mappings | |
| exist that | |
| fall into IG-1. Use this filter to help you focus on what to remediate first. | |
| </p> | |
| </td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| <table id="assessmentResultTable" width="100%"> | |
| <thead> | |
| <tr> | |
| <th title="weight" class="serif">w</th> | |
| <th>Benchmark Item</th> | |
| <th>Result</th> | |
| </tr> | |
| </thead> | |
| <tbody> | |
| <tr> | |
| <td id="checklist-d1e2131" class="group sect" colspan="3"><a href="#detail-d1e2131">1 Initial Setup</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e2136" class="group sect" colspan="3"><a href="#detail-d1e2136">1.1 Filesystem Configuration</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e2154" class="group sect" colspan="3"><a href="#detail-d1e2154">1.1.1 Disable unused filesystems</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29474">1.1.1.1 Ensure mounting of cramfs filesystems is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29474"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29531">1.1.1.2 Ensure mounting of squashfs filesystems is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29531"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29589">1.1.1.3 Ensure mounting of udf filesystems is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29589"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e2529" class="group sect" colspan="3"><a href="#detail-d1e2529">1.1.2 Configure /tmp</a></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29646">1.1.2.1 Ensure /tmp is a separate partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29646"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29683">1.1.2.2 Ensure nodev option set on /tmp partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29683"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29718">1.1.2.3 Ensure noexec option set on /tmp partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29718"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29753">1.1.2.4 Ensure nosuid option set on /tmp partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29753"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e2896" class="group sect" colspan="3"><a href="#detail-d1e2896">1.1.3 Configure /var</a></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29788">1.1.3.1 Ensure separate partition exists for /var</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29788"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29823">1.1.3.2 Ensure nodev option set on /var partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29823"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29859">1.1.3.3 Ensure nosuid option set on /var partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29859"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e3134" class="group sect" colspan="3"><a href="#detail-d1e3134">1.1.4 Configure /var/tmp</a></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29894">1.1.4.1 Ensure separate partition exists for /var/tmp</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29894"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29929">1.1.4.2 Ensure noexec option set on /var/tmp partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29929"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29964">1.1.4.3 Ensure nosuid option set on /var/tmp partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29964"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e29999">1.1.4.4 Ensure nodev option set on /var/tmp partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e29999"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e3440" class="group sect" colspan="3"><a href="#detail-d1e3440">1.1.5 Configure /var/log</a></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30034">1.1.5.1 Ensure separate partition exists for /var/log</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30034"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30069">1.1.5.2 Ensure nodev option set on /var/log partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30069"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30104">1.1.5.3 Ensure noexec option set on /var/log partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30104"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30139">1.1.5.4 Ensure nosuid option set on /var/log partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30139"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e3734" class="group sect" colspan="3"><a href="#detail-d1e3734">1.1.6 Configure /var/log/audit</a></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30174">1.1.6.1 Ensure separate partition exists for /var/log/audit</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30174"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30209">1.1.6.2 Ensure noexec option set on /var/log/audit partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30209"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30245">1.1.6.3 Ensure nodev option set on /var/log/audit partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30245"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30280">1.1.6.4 Ensure nosuid option set on /var/log/audit partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30280"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e4050" class="group sect" colspan="3"><a href="#detail-d1e4050">1.1.7 Configure /home</a></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30315">1.1.7.1 Ensure separate partition exists for /home</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30315"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30350">1.1.7.2 Ensure nodev option set on /home partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30350"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30385">1.1.7.3 Ensure nosuid option set on /home partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30385"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e4299" class="group sect" colspan="3"><a href="#detail-d1e4299">1.1.8 Configure /dev/shm</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30420">1.1.8.1 Ensure nodev option set on /dev/shm partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30420"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30518">1.1.8.2 Ensure noexec option set on /dev/shm partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30518"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30618">1.1.8.3 Ensure nosuid option set on /dev/shm partition</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30618"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30716">1.1.9 Disable Automounting</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30716"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30803">1.1.10 Disable USB Storage</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30803"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e4628" class="group sect" colspan="3"><a href="#detail-d1e4628">1.2 Configure Software Updates</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e30861">1.2.1 Ensure package manager repositories are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30861"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e30867">1.2.2 Ensure GPG keys are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30867"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e4694" class="group sect" colspan="3"><a href="#detail-d1e4694">1.3 Filesystem Integrity Checking</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e30872">1.3.1 Ensure AIDE is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e30872"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e31013">1.3.2 Ensure filesystem integrity is regularly checked</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e31013"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e4897" class="group sect" colspan="3"><a href="#detail-d1e4897">1.4 Secure Boot Settings</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e31522">1.4.1 Ensure bootloader password is set</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e31522"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e31693">1.4.2 Ensure permissions on bootloader config are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e31693"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e31853">1.4.3 Ensure authentication required for single user mode</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e31853"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e5083" class="group sect" colspan="3"><a href="#detail-d1e5083">1.5 Additional Process Hardening</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e31947">1.5.1 Ensure address space layout randomization (ASLR) is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e31947"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32016">1.5.2 Ensure prelink is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32016"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32049">1.5.3 Ensure Automatic Error Reporting is not enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32049"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32165">1.5.4 Ensure core dumps are restricted</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32165"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e5365" class="group sect" colspan="3"><a href="#detail-d1e5365">1.6 Mandatory Access Control</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e5379" class="group sect" colspan="3"><a href="#detail-d1e5379">1.6.1 Configure AppArmor</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32328">1.6.1.1 Ensure AppArmor is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32328"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32470">1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32470"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32645">1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32645"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32692">1.6.1.4 Ensure all AppArmor Profiles are enforcing</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32692"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e5562" class="group sect" colspan="3"><a href="#detail-d1e5562">1.7 Command Line Warning Banners</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32739">1.7.1 Ensure message of the day is configured properly</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32739"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32779">1.7.2 Ensure local login warning banner is configured properly</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32779"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32819">1.7.3 Ensure remote login warning banner is configured properly</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32819"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e32859">1.7.4 Ensure permissions on /etc/motd are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e32859"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33059">1.7.5 Ensure permissions on /etc/issue are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33059"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33104">1.7.6 Ensure permissions on /etc/issue.net are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33104"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e5920" class="group sect" colspan="3"><a href="#detail-d1e5920">1.8 GNOME Display Manager</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33149">1.8.1 Ensure GNOME Display Manager is removed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33149"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33182">1.8.2 Ensure GDM login banner is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33182"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33259">1.8.3 Ensure GDM disable-user-list option is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33259"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33338">1.8.4 Ensure GDM screen locks when the user is idle</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33338"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33419">1.8.5 Ensure GDM screen locks cannot be overridden</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33419"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33501">1.8.6 Ensure GDM automatic mounting of removable media is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33501"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33579">1.8.7 Ensure GDM disabling automatic mounting of removable media is not overridden</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33579"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33655">1.8.8 Ensure GDM autorun-never is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33655"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33731">1.8.9 Ensure GDM autorun-never is not overridden</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33731"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33807">1.8.10 Ensure XDCMP is not enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33807"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e33840">1.9 Ensure updates, patches, and additional security software are installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33840"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e7270" class="group sect" colspan="3"><a href="#detail-d1e7270">2 Services</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e7276" class="group sect" colspan="3"><a href="#detail-d1e7276">2.1 Configure Time Synchronization</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e7303" class="group sect" colspan="3"><a href="#detail-d1e7303">2.1.1 Ensure time synchronization is in use</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e33845">2.1.1.1 Ensure a single time synchronization daemon is in use</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33845"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e7476" class="group sect" colspan="3"><a href="#detail-d1e7476">2.1.2 Configure chrony</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e33889">2.1.2.1 Ensure chrony is configured with authorized timeserver</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e33889"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e34050">2.1.2.2 Ensure chrony is running as user _chrony</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34050"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e34171">2.1.2.3 Ensure chrony is enabled and running</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34171"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e7738" class="group sect" colspan="3"><a href="#detail-d1e7738">2.1.3 Configure systemd-timesyncd</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e34353">2.1.3.1 Ensure systemd-timesyncd configured with authorized timeserver</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34353"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e34499">2.1.3.2 Ensure systemd-timesyncd is enabled and running</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34499"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e7974" class="group sect" colspan="3"><a href="#detail-d1e7974">2.1.4 Configure ntp</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e34722">2.1.4.1 Ensure ntp access control is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34722"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e34818">2.1.4.2 Ensure ntp is configured with authorized timeserver</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34818"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e34887">2.1.4.3 Ensure ntp is running as user ntp</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34887"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e34997">2.1.4.4 Ensure ntp is enabled and running</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e34997"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e8425" class="group sect" colspan="3"><a href="#detail-d1e8425">2.2 Special Purpose Services</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35139">2.2.1 Ensure X Window System is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35139"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35200">2.2.2 Ensure Avahi Server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35200"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35233">2.2.3 Ensure CUPS is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35233"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35269">2.2.4 Ensure DHCP Server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35269"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35304">2.2.5 Ensure LDAP server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35304"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35339">2.2.6 Ensure NFS is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35339"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35372">2.2.7 Ensure DNS Server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35372"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35405">2.2.8 Ensure FTP Server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35405"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35438">2.2.9 Ensure HTTP server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35438"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35471">2.2.10 Ensure IMAP and POP3 server are not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35471"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35532">2.2.11 Ensure Samba is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35532"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35565">2.2.12 Ensure HTTP Proxy Server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35565"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35598">2.2.13 Ensure SNMP Server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35598"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35631">2.2.14 Ensure NIS Server is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35631"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35665">2.2.15 Ensure mail transfer agent is configured for local-only mode</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35665"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35698">2.2.16 Ensure rsync service is either not installed or masked</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35698"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e9108" class="group sect" colspan="3"><a href="#detail-d1e9108">2.3 Service Clients</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35880">2.3.1 Ensure NIS Client is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35880"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35913">2.3.2 Ensure rsh client is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35913"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35946">2.3.3 Ensure talk client is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35946"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e35979">2.3.4 Ensure telnet client is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e35979"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36012">2.3.5 Ensure LDAP client is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36012"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36045">2.3.6 Ensure RPC is not installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36045"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e36078">2.4 Ensure nonessential services are removed or masked</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36078"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e9424" class="group sect" colspan="3"><a href="#detail-d1e9424">3 Network Configuration</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e9502" class="group sect" colspan="3"><a href="#detail-d1e9502">3.1 Disable unused network protocols and devices</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e36082">3.1.1 Ensure system is checked to determine if IPv6 is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36082"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36124">3.1.2 Ensure wireless interfaces are disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36124"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36168">3.1.3 Ensure DCCP is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36168"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36225">3.1.4 Ensure SCTP is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36225"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36282">3.1.5 Ensure RDS is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36282"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36339">3.1.6 Ensure TIPC is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36339"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e10049" class="group sect" colspan="3"><a href="#detail-d1e10049">3.2 Network Parameters (Host Only)</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36396">3.2.1 Ensure packet redirect sending is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36396"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36501">3.2.2 Ensure IP forwarding is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36501"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e10465" class="group sect" colspan="3"><a href="#detail-d1e10465">3.3 Network Parameters (Host and Router)</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36642">3.3.1 Ensure source routed packets are not accepted</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36642"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e36883">3.3.2 Ensure ICMP redirects are not accepted</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e36883"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37124">3.3.3 Ensure secure ICMP redirects are not accepted</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37124"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37237">3.3.4 Ensure suspicious packets are logged</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37237"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37343">3.3.5 Ensure broadcast ICMP requests are ignored</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37343"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37399">3.3.6 Ensure bogus ICMP responses are ignored</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37399"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37454">3.3.7 Ensure Reverse Path Filtering is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37454"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37559">3.3.8 Ensure TCP SYN Cookies is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37559"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37614">3.3.9 Ensure IPv6 router advertisements are not accepted</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37614"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e12074" class="group sect" colspan="3"><a href="#detail-d1e12074">3.4 Firewall Configuration</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e12102" class="group sect" colspan="3"><a href="#detail-d1e12102">3.4.1 Configure UncomplicatedFirewall</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37753">3.4.1.1 Ensure ufw is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37753"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37824">3.4.1.2 Ensure iptables-persistent is not installed with ufw</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37824"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e37935">3.4.1.3 Ensure ufw service is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e37935"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38017">3.4.1.4 Ensure ufw loopback traffic is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38017"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e38189">3.4.1.5 Ensure ufw outbound connections are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38189"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38194">3.4.1.6 Ensure ufw firewall rules exist for all open ports</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38194"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38282">3.4.1.7 Ensure ufw default deny firewall policy</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38282"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e12520" class="group sect" colspan="3"><a href="#detail-d1e12520">3.4.2 Configure nftables</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38463">3.4.2.1 Ensure nftables is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38463"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38536">3.4.2.2 Ensure ufw is uninstalled or disabled with nftables</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38536"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e38647">3.4.2.3 Ensure iptables are flushed with nftables</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38647"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38652">3.4.2.4 Ensure a nftables table exists</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38652"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38742">3.4.2.5 Ensure nftables base chains exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38742"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e38924">3.4.2.6 Ensure nftables loopback traffic is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e38924"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e39008">3.4.2.7 Ensure nftables outbound and established connections are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39008"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39013">3.4.2.8 Ensure nftables default deny firewall policy</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39013"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39197">3.4.2.9 Ensure nftables service is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39197"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39295">3.4.2.10 Ensure nftables rules are permanent</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39295"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e13192" class="group sect" colspan="3"><a href="#detail-d1e13192">3.4.3 Configure iptables</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e13201" class="group sect" colspan="3"><a href="#detail-d1e13201">3.4.3.1 Configure iptables software</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39368">3.4.3.1.1 Ensure iptables packages are installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39368"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39555">3.4.3.1.2 Ensure nftables is not installed with iptables</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39555"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39632">3.4.3.1.3 Ensure ufw is uninstalled or disabled with iptables</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39632"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e13379" class="group sect" colspan="3"><a href="#detail-d1e13379">3.4.3.2 Configure IPv4 iptables</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39747">3.4.3.2.1 Ensure iptables default deny firewall policy</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39747"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e39903">3.4.3.2.2 Ensure iptables loopback traffic is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e39903"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e40074">3.4.3.2.3 Ensure iptables outbound and established connections are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40074"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40079">3.4.3.2.4 Ensure iptables firewall rules exist for all open ports</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40079"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e13651" class="group sect" colspan="3"><a href="#detail-d1e13651">3.4.3.3 Configure IPv6 ip6tables</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40165">3.4.3.3.1 Ensure ip6tables default deny firewall policy</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40165"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40359">3.4.3.3.2 Ensure ip6tables loopback traffic is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40359"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e40483">3.4.3.3.3 Ensure ip6tables outbound and established connections are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40483"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40488">3.4.3.3.4 Ensure ip6tables firewall rules exist for all open ports</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40488"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e13919" class="group sect" colspan="3"><a href="#detail-d1e13919">4 Logging and Auditing</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e13957" class="group sect" colspan="3"><a href="#detail-d1e13957">4.1 Configure System Accounting (auditd)</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e14068" class="group sect" colspan="3"><a href="#detail-d1e14068">4.1.1 Ensure auditing is enabled</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40612">4.1.1.1 Ensure auditd is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40612"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40754">4.1.1.2 Ensure auditd service is enabled and active</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40754"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40868">4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40868"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40921">4.1.1.4 Ensure audit_backlog_limit is sufficient</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40921"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e14285" class="group sect" colspan="3"><a href="#detail-d1e14285">4.1.2 Configure Data Retention</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e40975">4.1.2.1 Ensure audit log storage size is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e40975"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e41063">4.1.2.2 Ensure audit logs are not automatically deleted</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e41063"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e41096">4.1.2.3 Ensure system is disabled when audit logs are full</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e41096"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e14471" class="group sect" colspan="3"><a href="#detail-d1e14471">4.1.3 Configure auditd rules</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e41352">4.1.3.1 Ensure changes to system administration scope (sudoers) is collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e41352"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e41453">4.1.3.2 Ensure actions as another user are always logged</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e41453"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e41562">4.1.3.3 Ensure events that modify the sudo log file are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e41562"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e41606">4.1.3.4 Ensure events that modify date and time information are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e41606"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e41822">4.1.3.5 Ensure events that modify the system's network environment are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e41822"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e42157">4.1.3.6 Ensure use of privileged commands are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e42157"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e42537">4.1.3.7 Ensure unsuccessful file access attempts are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e42537"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e43488">4.1.3.8 Ensure events that modify user/group information are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e43488"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e43736">4.1.3.9 Ensure discretionary access control permission modification events are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e43736"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44025">4.1.3.10 Ensure successful file system mounts are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44025"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44118">4.1.3.11 Ensure session initiation information is collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44118"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44273">4.1.3.12 Ensure login and logout events are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44273"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44376">4.1.3.13 Ensure file deletion events by users are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44376"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44473">4.1.3.14 Ensure events that modify the system's Mandatory Access Controls are collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44473"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44574">4.1.3.15 Ensure successful and unsuccessful attempts to use the chcon command are recorded</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44574"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44631">4.1.3.16 Ensure successful and unsuccessful attempts to use the setfacl command are recorded</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44631"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44689">4.1.3.17 Ensure successful and unsuccessful attempts to use the chacl command are recorded</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44689"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44746">4.1.3.18 Ensure successful and unsuccessful attempts to use the usermod command are recorded</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44746"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e44803">4.1.3.19 Ensure kernel module loading unloading and modification is collected</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e44803"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e45048">4.1.3.20 Ensure the audit configuration is immutable</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e45048"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e45099">4.1.3.21 Ensure the running and on disk configuration is the same</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e45099"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e16826" class="group sect" colspan="3"><a href="#detail-d1e16826">4.1.4 Configure auditd file access</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e45103">4.1.4.1 Ensure audit log files are mode 0640 or less permissive</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e45103"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e45151">4.1.4.2 Ensure only authorized users own audit log files</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e45151"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e45199">4.1.4.3 Ensure only authorized groups are assigned ownership of audit log files</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e45199"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e45249">4.1.4.4 Ensure the audit log directory is 0750 or more restrictive</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e45249"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e45291">4.1.4.5 Ensure audit configuration files are 640 or more restrictive</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e45291"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e48214">4.1.4.7 Ensure audit configuration files belong to group root</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e48214"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e49675">4.1.4.8 Ensure audit tools are 755 or more restrictive</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e49675"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e50614">4.1.4.9 Ensure audit tools are owned by root</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e50614"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e51553">4.1.4.10 Ensure audit tools belong to group root</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e51553"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e52492">4.1.4.11 Ensure cryptographic mechanisms are used to protect the integrity of audit tools</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e52492"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e17298" class="group sect" colspan="3"><a href="#detail-d1e17298">4.2 Configure Logging</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e17358" class="group sect" colspan="3"><a href="#detail-d1e17358">4.2.1 Configure journald</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e17380" class="group sect" colspan="3"><a href="#detail-d1e17380">4.2.1.1 Ensure journald is configured to send logs to a remote log host</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e52669">4.2.1.1.1 Ensure systemd-journal-remote is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e52669"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e52771">4.2.1.1.2 Ensure systemd-journal-remote is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e52771"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e52776">4.2.1.1.3 Ensure systemd-journal-remote is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e52776"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e52836">4.2.1.1.4 Ensure journald is not configured to recieve logs from a remote client</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e52836"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e52898">4.2.1.2 Ensure journald service is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e52898"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e52958">4.2.1.3 Ensure journald is configured to compress large log files</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e52958"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e53050">4.2.1.4 Ensure journald is configured to write logfiles to persistent disk</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53050"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e53139">4.2.1.5 Ensure journald is not configured to send logs to rsyslog</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53139"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e53230">4.2.1.6 Ensure journald log rotation is configured per site policy</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53230"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e53235">4.2.1.7 Ensure journald default file permissions configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53235"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e17929" class="group sect" colspan="3"><a href="#detail-d1e17929">4.2.2 Configure rsyslog</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e53242">4.2.2.1 Ensure rsyslog is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53242"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e53344">4.2.2.2 Ensure rsyslog service is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53344"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e53404">4.2.2.3 Ensure journald is configured to send logs to rsyslog</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53404"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e53495">4.2.2.4 Ensure rsyslog default file permissions are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53495"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e53616">4.2.2.5 Ensure logging is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53616"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e53623">4.2.2.6 Ensure rsyslog is configured to send logs to a remote log host</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53623"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e53742">4.2.2.7 Ensure rsyslog is not configured to receive logs from a remote client</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53742"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e53862">4.2.3 Ensure all logfiles have appropriate permissions and ownership</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53862"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e18587" class="group sect" colspan="3"><a href="#detail-d1e18587">5 Access, Authentication and Authorization</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e18591" class="group sect" colspan="3"><a href="#detail-d1e18591">5.1 Configure time-based job schedulers</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e53912">5.1.1 Ensure cron daemon is enabled and running</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e53912"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e54025">5.1.2 Ensure permissions on /etc/crontab are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e54025"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e54253">5.1.3 Ensure permissions on /etc/cron.hourly are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e54253"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e54475">5.1.4 Ensure permissions on /etc/cron.daily are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e54475"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e54697">5.1.5 Ensure permissions on /etc/cron.weekly are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e54697"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e54919">5.1.6 Ensure permissions on /etc/cron.monthly are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e54919"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e55141">5.1.7 Ensure permissions on /etc/cron.d are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e55141"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e55363">5.1.8 Ensure cron is restricted to authorized users</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e55363"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e55620">5.1.9 Ensure at is restricted to authorized users</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e55620"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e19215" class="group sect" colspan="3"><a href="#detail-d1e19215">5.2 Configure SSH Server</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e55837">5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e55837"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e56066">5.2.2 Ensure permissions on SSH private host key files are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e56066"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e56182">5.2.3 Ensure permissions on SSH public host key files are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e56182"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e56670">5.2.4 Ensure SSH access is limited</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e56670"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e56883">5.2.5 Ensure SSH LogLevel is appropriate</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e56883"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e57032">5.2.6 Ensure SSH PAM is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e57032"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e57180">5.2.7 Ensure SSH root login is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e57180"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e57383">5.2.8 Ensure SSH HostbasedAuthentication is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e57383"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e57531">5.2.9 Ensure SSH PermitEmptyPasswords is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e57531"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e57679">5.2.10 Ensure SSH PermitUserEnvironment is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e57679"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e57827">5.2.11 Ensure SSH IgnoreRhosts is enabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e57827"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e57975">5.2.12 Ensure SSH X11 forwarding is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e57975"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e58122">5.2.13 Ensure only strong Ciphers are used</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e58122"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e58245">5.2.14 Ensure only strong MAC algorithms are used</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e58245"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e58363">5.2.15 Ensure only strong Key Exchange algorithms are used</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e58363"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e58478">5.2.16 Ensure SSH AllowTcpForwarding is disabled</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e58478"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e58626">5.2.17 Ensure SSH warning banner is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e58626"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e58743">5.2.18 Ensure SSH MaxAuthTries is set to 4 or less</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e58743"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e58891">5.2.19 Ensure SSH MaxStartups is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e58891"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e59039">5.2.20 Ensure SSH MaxSessions is set to 10 or less</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e59039"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e59185">5.2.21 Ensure SSH LoginGraceTime is set to one minute or less</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e59185"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e59333">5.2.22 Ensure SSH Idle Timeout Interval is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e59333"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e20619" class="group sect" colspan="3"><a href="#detail-d1e20619">5.3 Configure privilege escalation</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e59536">5.3.1 Ensure sudo is installed</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e59536"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e59640">5.3.2 Ensure sudo commands use pty</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e59640"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e59770">5.3.3 Ensure sudo log file exists</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e59770"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e59911">5.3.4 Ensure users must provide password for privilege escalation</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e59911"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60032">5.3.5 Ensure re-authentication for privilege escalation is not disabled globally</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60032"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60093">5.3.6 Ensure sudo authentication timeout is configured correctly</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60093"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60156">5.3.7 Ensure access to the su command is restricted</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60156"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e21096" class="group sect" colspan="3"><a href="#detail-d1e21096">5.4 Configure PAM</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60265">5.4.1 Ensure password creation requirements are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60265"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60457">5.4.2 Ensure lockout for failed password attempts is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60457"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60718">5.4.3 Ensure password reuse is limited</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60718"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60822">5.4.4 Ensure password hashing algorithm is up to date with the latest standards</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60822"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e60855">5.4.5 Ensure all current passwords uses the configured hashing algorithm</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60855"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e21613" class="group sect" colspan="3"><a href="#detail-d1e21613">5.5 User Accounts and Environment</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e21618" class="group sect" colspan="3"><a href="#detail-d1e21618">5.5.1 Set Shadow Password Suite Parameters</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60860">5.5.1.1 Ensure minimum days between password changes is configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60860"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e60981">5.5.1.2 Ensure password expiration is 365 days or less</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e60981"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e61099">5.5.1.3 Ensure password expiration warning days is 7 or more</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e61099"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e61215">5.5.1.4 Ensure inactive password lock is 30 days or less</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e61215"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e61331">5.5.1.5 Ensure all users last password change date is in the past</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e61331"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e61368">5.5.2 Ensure system accounts are secured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e61368"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e61447">5.5.3 Ensure default group for the root account is GID 0</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e61447"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e61530">5.5.4 Ensure default user umask is 027 or more restrictive</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e61530"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="resultRow"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e62166">5.5.5 Ensure default user shell timeout is 900 seconds or less</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e62166"><span class="fail">Fail</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e22537" class="group sect" colspan="3"><a href="#detail-d1e22537">6 System Maintenance</a></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e22542" class="group sect" colspan="3"><a href="#detail-d1e22542">6.1 System File Permissions</a></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e62208">6.1.1 Ensure permissions on /etc/passwd are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e62208"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e62368">6.1.2 Ensure permissions on /etc/passwd- are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e62368"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e62529">6.1.3 Ensure permissions on /etc/group are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e62529"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e62689">6.1.4 Ensure permissions on /etc/group- are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e62689"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e62849">6.1.5 Ensure permissions on /etc/shadow are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e62849"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e62987">6.1.6 Ensure permissions on /etc/shadow- are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e62987"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e63125">6.1.7 Ensure permissions on /etc/gshadow are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63125"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e63329">6.1.8 Ensure permissions on /etc/gshadow- are configured</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63329"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e63533">6.1.9 Ensure no world writable files exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63533"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e63570">6.1.10 Ensure no unowned files or directories exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63570"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e63608">6.1.11 Ensure no ungrouped files or directories exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63608"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e63646">6.1.12 Audit SUID executables</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63646"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><br></br></td> | |
| <td><a href="#detail-d1e63650">6.1.13 Audit SGID executables</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63650"><span class="informational">Manual</span></a></span></td> | |
| </tr> | |
| <tr> | |
| <td id="checklist-d1e23219" class="group sect" colspan="3"><a href="#detail-d1e23219">6.2 Local User and Group Settings</a></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e63655">6.2.1 Ensure accounts in /etc/passwd use shadowed passwords</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63655"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e63688">6.2.2 Ensure /etc/shadow password fields are not empty</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e63688"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66053">6.2.3 Ensure all groups in /etc/passwd exist in /etc/group</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66053"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66093">6.2.4 Ensure shadow group is empty</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66093"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66163">6.2.5 Ensure no duplicate UIDs exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66163"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66214">6.2.6 Ensure no duplicate GIDs exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66214"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66265">6.2.7 Ensure no duplicate user names exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66265"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66316">6.2.8 Ensure no duplicate group names exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66316"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66367">6.2.9 Ensure root PATH Integrity</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66367"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonCriticalControlArea nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66409">6.2.10 Ensure root is the only UID 0 account</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66409"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66440">6.2.11 Ensure local interactive user home directories exist</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66440"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66483">6.2.12 Ensure local interactive users own their home directories</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66483"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66525">6.2.13 Ensure local interactive user home directories are mode 750 or more restrictive</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66525"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66572">6.2.14 Ensure no local interactive user has .netrc files</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66572"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66617">6.2.15 Ensure no local interactive user has .forward files</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66617"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66662">6.2.16 Ensure no local interactive user has .rhosts files</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66662"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| <tr class="nonFailureArea tableVisible"> | |
| <td><span class="weight">1.0</span></td> | |
| <td><a href="#detail-d1e66707">6.2.17 Ensure local interactive user dot files are not group or world writable</a></td> | |
| <td class="numeric"><span><a href="#detail-d1e66707"><span class="pass">Pass</span></a></span></td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <div class="backtop"><a href="#top" title="back to top">⇧</a></div> | |
| </div> | |
| <div id="assessmentDetailsArea"> | |
| <h2 class="sectionTitle">Assessment Details</h2> | |
| <div id="front-matter"></div> | |
| <div id="detail-d1e2131" class="group"> | |
| <h2 class="ruleGroupTitle" title="xccdf_org.cisecurity.benchmarks_group_1_Initial_Setup">1 Initial Setup</h2> | |
| <div class="description"> | |
| <p>Items in this section are advised for all systems, but may be difficult or require | |
| extensive preparation after the initial setup of the system.</p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e2136" class="group"> | |
| <h2 class="ruleGroupTitle" title="xccdf_org.cisecurity.benchmarks_group_1.1_Filesystem_Configuration">1.1 Filesystem Configuration</h2> | |
| <div class="description"> | |
| <p>Directories that are used for system-wide functions can be further protected by placing | |
| them on separate partitions. This provides protection for resource exhaustion and | |
| enables the use of mounting options that are applicable to the directory's intended | |
| use. Users' data can be stored on separate partitions and have stricter mount options. | |
| A user partition is a filesystem that has been established for use by the users and | |
| does not contain software for system operations.</p> | |
| <p>The recommendations in this section are easier to perform during initial system installation. | |
| If the system is already installed, it is recommended that a full backup be performed | |
| before repartitioning the system.</p> | |
| <p><strong>Note:</strong> | |
| If you are repartitioning a system that has already been installed, make sure the | |
| data has been copied over to the new partition, unmount it and then remove the data | |
| from the directory that was in the old partition. Otherwise it will still consume | |
| space in the old partition that will be masked when the new filesystem is mounted. | |
| For example, if a system is in single-user mode with no filesystems mounted and the | |
| administrator adds a lot of data to the | |
| <span class="inline_block">/tmp</span> | |
| directory, this data will still consume space in | |
| <span class="inline_block">/</span> | |
| once the <span class="inline_block">/tmp</span> | |
| filesystem is mounted unless it is removed first. | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e2154" class="group"> | |
| <h2 class="ruleGroupTitle" title="xccdf_org.cisecurity.benchmarks_group_1.1.1_Disable_unused_filesystems">1.1.1 Disable unused filesystems</h2> | |
| <div class="description"> | |
| <p>A number of uncommon filesystem types are supported under Linux. Removing support | |
| for unneeded filesystem types reduces the local attack surface of the system. If a | |
| filesystem type is not needed it should be disabled. Native Linux file systems are | |
| designed to ensure that built-in security controls function as expected. Non-native | |
| filesystems can lead to unexpected consequences to both the security and functionality | |
| of the system and should be used with caution. Many filesystems are created for niche | |
| use cases and are not maintained and supported as the operating systems are updated | |
| and patched. Users of non-native filesystems should ensure that there is attention | |
| and ongoing support for them, especially in light of frequent operating system changes.</p> | |
| <p>Standard network connectivity and Internet access to cloud storage may make the use | |
| of non-standard filesystem formats to directly attach heterogeneous devices much less | |
| attractive.</p> | |
| <p><strong>Note</strong> | |
| : This should not be considered a comprehensive list of filesystems. You may wish | |
| to consider additions to those listed here for your environment. For the current available | |
| file system modules on the system see | |
| <span class="inline_block">/usr/lib/modules/$(uname -r)/kernel/fs</span></p> | |
| <h4>Start up scripts</h4> | |
| <p> | |
| Kernel modules loaded directly via | |
| <span class="inline_block">insmod</span> | |
| will ignore what is configured in the relevant | |
| <span class="inline_block">/etc/modprobe.d/*.conf</span> | |
| files. If modules are still being loaded after a reboot whilst having the correctly | |
| configured | |
| <span class="inline_block">blacklist</span> | |
| and <span class="inline_block">install</span> | |
| command, check for | |
| <span class="inline_block">insmod</span> | |
| entries in start up scripts such as | |
| <span class="inline_block">.bashrc</span> | |
| . </p> | |
| <p> | |
| You may also want to check | |
| <span class="inline_block">/usr/lib/modprobe.d/</span> | |
| . Please note that this directory should not be used for user defined module loading. | |
| Ensure that all such entries resides in | |
| <span class="inline_block">/etc/modprobe.d/*.conf</span> | |
| files. </p> | |
| <h4>Return values</h4> | |
| <p> | |
| By using | |
| <span class="inline_block">/bin/false</span> | |
| as the command in disabling a particular module serves two purposes; to convey the | |
| meaning of the entry to the user and cause a non-zero return value. The latter can | |
| be tested for in scripts. Please note that | |
| <span class="inline_block">insmod</span> | |
| will ignore what is configured in the relevant | |
| <span class="inline_block">/etc/modprobe.d/*.conf</span> | |
| files. The preferred way to load modules is with | |
| <span class="inline_block">modprobe</span> | |
| . </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29474" class="Rule nonCriticalControlArea visible"><span class="outcome fail ruleResultArea">Fail</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled">1.1.1.1 Ensure mounting of cramfs filesystems is disabled</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">cramfs</span> | |
| filesystem type is a compressed read-only Linux filesystem embedded in small footprint | |
| systems. A | |
| <span class="inline_block">cramfs</span> | |
| image can be used without having to first decompress the image. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p>Removing support for unneeded filesystem types reduces the local attack surface of | |
| the system. If this filesystem type is not needed, disable it.</p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| Run the following script to disable | |
| <span class="inline_block">cramfs</span> | |
| : | |
| </p><code class="code_block"> | |
| #!/usr/bin/env bash | |
| <br></br><br></br> | |
| { | |
| <br></br> | |
| l_mname="cramfs" # set module name | |
| <br></br> | |
| # Check if the module exists on the system | |
| <br></br> | |
| if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" | |
| ]; then | |
| <br></br> | |
| # Remediate loadable | |
| <br></br> | |
| l_loadable="$(modprobe -n -v "$l_mname")" | |
| <br></br> | |
| [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" | |
| <<< "$l_loadable")" | |
| <br></br> | |
| if ! grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then | |
| <br></br> | |
| echo -e " - setting module: \"$l_mname\" to be not loadable" | |
| <br></br> | |
| echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf | |
| <br></br> | |
| fi | |
| <br></br> | |
| # Remediate loaded | |
| <br></br> | |
| if lsmod | grep "$l_mname" > /dev/null 2>&1; then | |
| <br></br> | |
| echo -e " - unloading module \"$l_mname\"" | |
| <br></br> | |
| modprobe -r "$l_mname" | |
| <br></br> | |
| fi | |
| <br></br> | |
| # Remediate deny list | |
| <br></br> | |
| if ! modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then | |
| <br></br> | |
| echo -e " - deny listing \"$l_mname\"" | |
| <br></br> | |
| echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf | |
| <br></br> | |
| fi | |
| <br></br> | |
| else | |
| <br></br> | |
| echo -e " - Nothing to remediate\n - Module \"$l_mname\" doesn't exist on the system" | |
| <br></br> | |
| fi | |
| <br></br> | |
| } | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29474" class="check"> | |
| <div><span class="action" id="d1e29474_evidence_button" onclick="switchState('d1e29474_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29474_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="sce"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Script:</td> | |
| <td>sce/nix_module_chk.sh</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Exit Value:</td> | |
| <td>102</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Output:</td> | |
| <td> | |
| <ul class="unstyled"> | |
| <li>- Audit Result:</li> | |
| <li> ** FAIL **</li> | |
| <li> - Reason(s) for audit failure:</li> | |
| <li> - module: "cramfs" is not deny listed</li> | |
| <li>- Correctly set:</li> | |
| <li> - module: "cramfs" is not loadable: "install /bin/true "</li> | |
| <li> - module: "cramfs" is not loaded</li> | |
| </ul> | |
| </td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td>No error lines were collected.</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29474_xml_result_button" onclick="switchState('d1e29474_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29474_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.311Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>fail</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/9/subcontrol/2" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/8" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://open-scap.org/page/SCE" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-export export-name="XCCDF_VALUE_REGEX" | |
| value-id="xccdf_org.cisecurity.benchmarks_value_3032684_var"/> | |
| <xccdf:check-content-ref href="sce/nix_module_chk.sh"/> | |
| <xccdf:check-content> | |
| <command_result href="sce/nix_module_chk.sh" | |
| xccdf="fail" | |
| script="/home/jenkins/cis-cat-tool/Assessor/sce/nix_module_chk.sh" | |
| exit-value="102"> | |
| <out> | |
| <l>- Audit Result:</l> | |
| <l> ** FAIL **</l> | |
| <l> - Reason(s) for audit failure:</l> | |
| <l> - module: "cramfs" is not deny listed</l> | |
| <l>- Correctly set:</l> | |
| <l> - module: "cramfs" is not loadable: "install /bin/true "</l> | |
| <l> - module: "cramfs" is not loaded</l> | |
| </out> | |
| <err/> | |
| <env> | |
| <e name="XCCDF_VALUE_REGEX">cramfs</e> | |
| </env> | |
| </command_result> | |
| </xccdf:check-content> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="sce"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Script:</td> | |
| <td>sce/nix_module_chk.sh</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Exit Value:</td> | |
| <td>102</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Output:</td> | |
| <td> | |
| <ul class="unstyled"> | |
| <li>- Audit Result:</li> | |
| <li> ** FAIL **</li> | |
| <li> - Reason(s) for audit failure:</li> | |
| <li> - module: "cramfs" is not deny listed</li> | |
| <li>- Correctly set:</li> | |
| <li> - module: "cramfs" is not loadable: "install /bin/true "</li> | |
| <li> - module: "cramfs" is not loaded</li> | |
| </ul> | |
| </td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td>No error lines were collected.</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29474_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"></ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 9: Limitation and Control of Network Ports, Protocols, and Services: </b> -- <span class="cce-action" id="d1e2230_xml_button" onclick="switchStateML('d1e2230_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2230_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Manage (track/control/correct) the ongoing operational use of ports, protocols, and | |
| services on networked devices in order to minimize windows of vulnerability available | |
| to attackers.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">9.2</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Ensure Only Approved Ports, Protocols and Services Are Running</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Ensure that only network ports, protocols, and services listening on a system with | |
| validated business needs are running on each system.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2230_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 4: Secure Configuration of Enterprise Assets and Software: </b> -- <span class="cce-action" id="d1e2225_xml_button" onclick="switchStateML('d1e2225_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2225_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Establish and maintain the secure configuration of enterprise assets (end-user devices, | |
| including portable and mobile; network devices; non-computing/IoT devices; and servers) | |
| and software (operating systems and applications).</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">4.8</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Uninstall or Disable Unnecessary Services on Enterprise Assets and Software</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Uninstall or disable unnecessary services on enterprise assets and software, such | |
| as an unused file sharing service, web application module, or service function.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-2</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2225_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2154" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29531" class="Rule nonCriticalControlArea visible"><span class="outcome fail ruleResultArea">Fail</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled">1.1.1.2 Ensure mounting of squashfs filesystems is disabled</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">squashfs</span> | |
| filesystem type is a compressed read-only Linux filesystem embedded in small footprint | |
| systems. A | |
| <span class="inline_block">squashfs</span> | |
| image can be used without having to first decompress the image. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p>Removing support for unneeded filesystem types reduces the local attack surface of | |
| the system. If this filesystem type is not needed, disable it.</p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| Run the following script to disable | |
| <span class="inline_block">squashfs</span> | |
| : | |
| </p><code class="code_block"> | |
| #!/usr/bin/env bash | |
| <br></br><br></br> | |
| { | |
| <br></br> | |
| l_mname="squashfs" # set module name | |
| <br></br> | |
| # Check if the module exists on the system | |
| <br></br> | |
| if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" | |
| ]; then | |
| <br></br> | |
| # Remediate loadable | |
| <br></br> | |
| l_loadable="$(modprobe -n -v "$l_mname")" | |
| <br></br> | |
| [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" | |
| <<< "$l_loadable")" | |
| <br></br> | |
| if ! grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then | |
| <br></br> | |
| echo -e " - setting module: \"$l_mname\" to be not loadable" | |
| <br></br> | |
| echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf | |
| <br></br> | |
| fi | |
| <br></br> | |
| # Remediate loaded | |
| <br></br> | |
| if lsmod | grep "$l_mname" > /dev/null 2>&1; then | |
| <br></br> | |
| echo -e " - unloading module \"$l_mname\"" | |
| <br></br> | |
| modprobe -r "$l_mname" | |
| <br></br> | |
| fi | |
| <br></br> | |
| # Remediate deny list | |
| <br></br> | |
| if ! modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then | |
| <br></br> | |
| echo -e " - deny listing \"$l_mname\"" | |
| <br></br> | |
| echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf | |
| <br></br> | |
| fi | |
| <br></br> | |
| else | |
| <br></br> | |
| echo -e " - Nothing to remediate\n - Module \"$l_mname\" doesn't exist on the system" | |
| <br></br> | |
| fi | |
| <br></br> | |
| } | |
| </code><p class="bold">Impact:</p> | |
| <p> | |
| <p> | |
| As Snap packages utilizes | |
| <span class="inline_block">squashfs</span> | |
| as a compressed filesystem, disabling | |
| <span class="inline_block">squashfs</span> | |
| will cause Snap packages to fail. | |
| </p> | |
| <p><span class="inline_block">Snap</span> | |
| application packages of software are self-contained and work across a range of Linux | |
| distributions. This is unlike traditional Linux package management approaches, like | |
| APT or RPM, which require specifically adapted packages per Linux distribution on | |
| an application update and delay therefore application deployment from developers to | |
| their software's end-user. Snaps themselves have no dependency on any external store | |
| ("App store"), can be obtained from any source and can be therefore used for upstream | |
| software deployment. | |
| </p> | |
| </p> | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29531" class="check"> | |
| <div><span class="action" id="d1e29531_evidence_button" onclick="switchState('d1e29531_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29531_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="sce"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Script:</td> | |
| <td>sce/nix_module_chk.sh</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Exit Value:</td> | |
| <td>102</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Output:</td> | |
| <td> | |
| <ul class="unstyled"> | |
| <li>- Audit Result:</li> | |
| <li> ** FAIL **</li> | |
| <li> - Reason(s) for audit failure:</li> | |
| <li> - module: "squashfs" is not deny listed</li> | |
| <li>- Correctly set:</li> | |
| <li> - module: "squashfs" is not loadable: "install /bin/true "</li> | |
| <li> - module: "squashfs" is not loaded</li> | |
| </ul> | |
| </td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td>No error lines were collected.</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29531_xml_result_button" onclick="switchState('d1e29531_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29531_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_squashfs_filesystems_is_disabled" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.311Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>fail</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/9/subcontrol/2" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/8" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://open-scap.org/page/SCE" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-export export-name="XCCDF_VALUE_REGEX" | |
| value-id="xccdf_org.cisecurity.benchmarks_value_3032685_var"/> | |
| <xccdf:check-content-ref href="sce/nix_module_chk.sh"/> | |
| <xccdf:check-content> | |
| <command_result href="sce/nix_module_chk.sh" | |
| xccdf="fail" | |
| script="/home/jenkins/cis-cat-tool/Assessor/sce/nix_module_chk.sh" | |
| exit-value="102"> | |
| <out> | |
| <l>- Audit Result:</l> | |
| <l> ** FAIL **</l> | |
| <l> - Reason(s) for audit failure:</l> | |
| <l> - module: "squashfs" is not deny listed</l> | |
| <l>- Correctly set:</l> | |
| <l> - module: "squashfs" is not loadable: "install /bin/true "</l> | |
| <l> - module: "squashfs" is not loaded</l> | |
| </out> | |
| <err/> | |
| <env> | |
| <e name="XCCDF_VALUE_REGEX">squashfs</e> | |
| </env> | |
| </command_result> | |
| </xccdf:check-content> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="sce"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Script:</td> | |
| <td>sce/nix_module_chk.sh</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Exit Value:</td> | |
| <td>102</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Output:</td> | |
| <td> | |
| <ul class="unstyled"> | |
| <li>- Audit Result:</li> | |
| <li> ** FAIL **</li> | |
| <li> - Reason(s) for audit failure:</li> | |
| <li> - module: "squashfs" is not deny listed</li> | |
| <li>- Correctly set:</li> | |
| <li> - module: "squashfs" is not loadable: "install /bin/true "</li> | |
| <li> - module: "squashfs" is not loaded</li> | |
| </ul> | |
| </td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td>No error lines were collected.</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29531_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"></ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 9: Limitation and Control of Network Ports, Protocols, and Services: </b> -- <span class="cce-action" id="d1e2328_xml_button" onclick="switchStateML('d1e2328_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2328_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Manage (track/control/correct) the ongoing operational use of ports, protocols, and | |
| services on networked devices in order to minimize windows of vulnerability available | |
| to attackers.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">9.2</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Ensure Only Approved Ports, Protocols and Services Are Running</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Ensure that only network ports, protocols, and services listening on a system with | |
| validated business needs are running on each system.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2328_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 4: Secure Configuration of Enterprise Assets and Software: </b> -- <span class="cce-action" id="d1e2323_xml_button" onclick="switchStateML('d1e2323_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2323_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Establish and maintain the secure configuration of enterprise assets (end-user devices, | |
| including portable and mobile; network devices; non-computing/IoT devices; and servers) | |
| and software (operating systems and applications).</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">4.8</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Uninstall or Disable Unnecessary Services on Enterprise Assets and Software</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Uninstall or disable unnecessary services on enterprise assets and software, such | |
| as an unused file sharing service, web application module, or service function.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-2</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2323_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2154" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29589" class="Rule nonCriticalControlArea visible"><span class="outcome fail ruleResultArea">Fail</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled">1.1.1.3 Ensure mounting of udf filesystems is disabled</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">udf</span> | |
| filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 | |
| specifications. This is an open vendor filesystem type for data storage on a broad | |
| range of media. This filesystem type is necessary to support writing DVDs and newer | |
| optical disc formats. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p>Removing support for unneeded filesystem types reduces the local attack surface of | |
| the system. If this filesystem type is not needed, disable it.</p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| Run the following script to disable the | |
| <span class="inline_block">udf</span> | |
| filesystem: | |
| </p><code class="code_block"> | |
| #!/usr/bin/env bash | |
| <br></br><br></br> | |
| { | |
| <br></br> | |
| l_mname="udf" # set module name | |
| <br></br> | |
| # Check if the module exists on the system | |
| <br></br> | |
| if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" | |
| ]; then | |
| <br></br> | |
| # Remediate loadable | |
| <br></br> | |
| l_loadable="$(modprobe -n -v "$l_mname")" | |
| <br></br> | |
| [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" | |
| <<< "$l_loadable")" | |
| <br></br> | |
| if ! grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then | |
| <br></br> | |
| echo -e " - setting module: \"$l_mname\" to be not loadable" | |
| <br></br> | |
| echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf | |
| <br></br> | |
| fi | |
| <br></br> | |
| # Remediate loaded | |
| <br></br> | |
| if lsmod | grep "$l_mname" > /dev/null 2>&1; then | |
| <br></br> | |
| echo -e " - unloading module \"$l_mname\"" | |
| <br></br> | |
| modprobe -r "$l_mname" | |
| <br></br> | |
| fi | |
| <br></br> | |
| # Remediate deny list | |
| <br></br> | |
| if ! modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$l_mname\b"; then | |
| <br></br> | |
| echo -e " - deny listing \"$l_mname\"" | |
| <br></br> | |
| echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf | |
| <br></br> | |
| fi | |
| <br></br> | |
| else | |
| <br></br> | |
| echo -e " - Nothing to remediate\n - Module \"$l_mname\" doesn't exist on the system" | |
| <br></br> | |
| fi | |
| <br></br> | |
| } | |
| </code><p class="bold">Impact:</p> | |
| <p> | |
| <p> | |
| Microsoft Azure requires the usage of | |
| <span class="inline_block">udf</span> | |
| . | |
| </p> | |
| <p><span class="inline_block">udf</span> | |
| should not be disabled on systems run on Microsoft Azure. | |
| </p> | |
| </p> | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29589" class="check"> | |
| <div><span class="action" id="d1e29589_evidence_button" onclick="switchState('d1e29589_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29589_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="sce"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Script:</td> | |
| <td>sce/nix_module_chk.sh</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Exit Value:</td> | |
| <td>102</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Output:</td> | |
| <td> | |
| <ul class="unstyled"> | |
| <li>- Audit Result:</li> | |
| <li> ** FAIL **</li> | |
| <li> - Reason(s) for audit failure:</li> | |
| <li> - module: "udf" is not deny listed</li> | |
| <li>- Correctly set:</li> | |
| <li> - module: "udf" is not loadable: "install /bin/true "</li> | |
| <li> - module: "udf" is not loaded</li> | |
| </ul> | |
| </td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td>No error lines were collected.</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29589_xml_result_button" onclick="switchState('d1e29589_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29589_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_udf_filesystems_is_disabled" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.311Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>fail</xccdf:result> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/4/subcontrol/8" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/9/subcontrol/2" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://open-scap.org/page/SCE" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-export export-name="XCCDF_VALUE_REGEX" | |
| value-id="xccdf_org.cisecurity.benchmarks_value_3032686_var"/> | |
| <xccdf:check-content-ref href="sce/nix_module_chk.sh"/> | |
| <xccdf:check-content> | |
| <command_result href="sce/nix_module_chk.sh" | |
| xccdf="fail" | |
| script="/home/jenkins/cis-cat-tool/Assessor/sce/nix_module_chk.sh" | |
| exit-value="102"> | |
| <out> | |
| <l>- Audit Result:</l> | |
| <l> ** FAIL **</l> | |
| <l> - Reason(s) for audit failure:</l> | |
| <l> - module: "udf" is not deny listed</l> | |
| <l>- Correctly set:</l> | |
| <l> - module: "udf" is not loadable: "install /bin/true "</l> | |
| <l> - module: "udf" is not loaded</l> | |
| </out> | |
| <err/> | |
| <env> | |
| <e name="XCCDF_VALUE_REGEX">udf</e> | |
| </env> | |
| </command_result> | |
| </xccdf:check-content> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="sce"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Script:</td> | |
| <td>sce/nix_module_chk.sh</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Exit Value:</td> | |
| <td>102</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Output:</td> | |
| <td> | |
| <ul class="unstyled"> | |
| <li>- Audit Result:</li> | |
| <li> ** FAIL **</li> | |
| <li> - Reason(s) for audit failure:</li> | |
| <li> - module: "udf" is not deny listed</li> | |
| <li>- Correctly set:</li> | |
| <li> - module: "udf" is not loadable: "install /bin/true "</li> | |
| <li> - module: "udf" is not loaded</li> | |
| </ul> | |
| </td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td>No error lines were collected.</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29589_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"></ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 9: Limitation and Control of Network Ports, Protocols, and Services: </b> -- <span class="cce-action" id="d1e2439_xml_button" onclick="switchStateML('d1e2439_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2439_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Manage (track/control/correct) the ongoing operational use of ports, protocols, and | |
| services on networked devices in order to minimize windows of vulnerability available | |
| to attackers.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">9.2</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Ensure Only Approved Ports, Protocols and Services Are Running</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Ensure that only network ports, protocols, and services listening on a system with | |
| validated business needs are running on each system.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2439_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 4: Secure Configuration of Enterprise Assets and Software: </b> -- <span class="cce-action" id="d1e2434_xml_button" onclick="switchStateML('d1e2434_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2434_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Establish and maintain the secure configuration of enterprise assets (end-user devices, | |
| including portable and mobile; network devices; non-computing/IoT devices; and servers) | |
| and software (operating systems and applications).</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">4.8</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Uninstall or Disable Unnecessary Services on Enterprise Assets and Software</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Uninstall or disable unnecessary services on enterprise assets and software, such | |
| as an unused file sharing service, web application module, or service function.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-2</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2434_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2154" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e2529" class="group"> | |
| <h2 class="ruleGroupTitle" title="xccdf_org.cisecurity.benchmarks_group_1.1.2_Configure_tmp">1.1.2 Configure /tmp</h2> | |
| <div class="description"> | |
| <p>The /tmp directory is a world-writable directory used for temporary storage by all | |
| users and some applications.</p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29646" class="Rule resultRow"><span class="outcome fail ruleResultArea">Fail</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.2.1_Ensure_tmp_is_a_separate_partition">1.1.2.1 Ensure /tmp is a separate partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">/tmp</span> | |
| directory is a world-writable directory used for temporary storage by all users and | |
| some applications. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Making | |
| <span class="inline_block">/tmp</span> | |
| its own file system allows an administrator to set additional mount options such as | |
| the | |
| <span class="inline_block">noexec</span> | |
| option on the mount, making | |
| <span class="inline_block">/tmp</span> | |
| useless for an attacker to install executable code. It would also prevent an attacker | |
| from establishing a hard link to a system | |
| <span class="inline_block">setuid</span> | |
| program and wait for it to be updated. Once the program was updated, the hard link | |
| would be broken and the attacker would have his own copy of the program. If the program | |
| happened to have a security vulnerability, the attacker could continue to exploit | |
| the known flaw. | |
| </p> | |
| <p> | |
| This can be accomplished by either mounting | |
| <span class="inline_block">tmpfs</span> | |
| to | |
| <span class="inline_block">/tmp</span> | |
| , or creating a separate partition for | |
| <span class="inline_block">/tmp</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| First ensure that systemd is correctly configured to ensure that | |
| <span class="inline_block">/tmp</span> | |
| will be mounted at boot time. | |
| </p><code class="code_block"># systemctl unmask tmp.mount | |
| </code><p> | |
| For specific configuration requirements of the | |
| <span class="inline_block">/tmp</span> | |
| mount for your environment, modify | |
| <span class="inline_block">/etc/fstab</span> | |
| or | |
| <span class="inline_block">tmp.mount</span> | |
| . | |
| </p> | |
| <p> | |
| Example of | |
| <span class="inline_block">/etc/fstab</span> | |
| configured | |
| <span class="inline_block">tmpfs</span> | |
| file system with specific mount options: | |
| </p><code class="code_block">tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime,size=2G 0 0 | |
| </code><p> | |
| Example of | |
| <span class="inline_block">tmp.mount</span> | |
| configured | |
| <span class="inline_block">tmpfs</span> | |
| file system with specific mount options: | |
| </p><code class="code_block"> | |
| [Unit] | |
| <br></br> | |
| Description=Temporary Directory /tmp | |
| <br></br> | |
| ConditionPathIsSymbolicLink=!/tmp | |
| <br></br> | |
| DefaultDependencies=no | |
| <br></br> | |
| Conflicts=umount.target | |
| <br></br> | |
| Before=local-fs.target umount.target | |
| <br></br> | |
| After=swap.target | |
| <br></br><br></br> | |
| [Mount] | |
| <br></br> | |
| What=tmpfs | |
| <br></br> | |
| Where=/tmp | |
| <br></br> | |
| Type=tmpfs | |
| </code><p class="bold">Impact:</p> | |
| <p> | |
| <p> | |
| Since the | |
| <span class="inline_block">/tmp</span> | |
| directory is intended to be world-writable, there is a risk of resource exhaustion | |
| if it is not bound to a separate partition. | |
| </p> | |
| <p> | |
| Running out of | |
| <span class="inline_block">/tmp</span> | |
| space is a problem regardless of what kind of filesystem lies under it, but in a configuration | |
| where | |
| <span class="inline_block">/tmp</span> | |
| is not a separate file system it will essentially have the whole disk available, as | |
| the default installation only creates a single | |
| <span class="inline_block">/</span> | |
| partition. On the other hand, a RAM-based | |
| <span class="inline_block">/tmp</span> | |
| (as with | |
| <span class="inline_block">tmpfs</span> | |
| ) will almost certainly be much smaller, which can lead to applications filling up | |
| the filesystem much more easily. Another alternative is to create a dedicated partition | |
| for | |
| <span class="inline_block">/tmp</span> | |
| from a separate volume or disk. One of the downsides of a disk-based dedicated partition | |
| is that it will be slower than | |
| <span class="inline_block">tmpfs</span> | |
| which is RAM-based. | |
| </p> | |
| <p><span class="inline_block">/tmp</span> | |
| utilizing | |
| <span class="inline_block">tmpfs</span> | |
| can be resized using the | |
| <span class="inline_block">size={size}</span> | |
| parameter in the relevant entry in | |
| <span class="inline_block">/etc/fstab</span> | |
| . | |
| </p> | |
| </p> | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29646" class="check"> | |
| <div><span class="action" id="d1e29646_evidence_button" onclick="switchState('d1e29646_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29646_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894359"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2894359" check="all" check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29646_xml_result_button" onclick="switchState('d1e29646_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29646_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.1_Ensure_tmp_is_a_separate_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.314Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>fail</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/</xccdf:ident> | |
| <xccdf:ident system="URL">https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894359"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894359"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2894359" | |
| check="all" | |
| check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29646_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/</li> | |
| <li><span class="bold">URL: </span>https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e2551_xml_button" onclick="switchStateML('d1e2551_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2551_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2551_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e2546_xml_button" onclick="switchStateML('d1e2546_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2546_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2546_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2529" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29683" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.2.2_Ensure_nodev_option_set_on_tmp_partition">1.1.2.2 Ensure nodev option set on /tmp partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">nodev</span> | |
| mount option specifies that the filesystem cannot contain special devices. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/tmp</span> | |
| filesystem is not intended to support devices, set this option to ensure that users | |
| cannot create a block or character special devices in | |
| <span class="inline_block">/tmp</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| Edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">nodev</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/tmp</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/tmp</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /tmp | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29683" class="check"> | |
| <div><span class="action" id="d1e29683_evidence_button" onclick="switchState('d1e29683_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29683_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965841"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965841" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp may exists and all have at least one partition option equals | |
| 'nodev' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29683_xml_result_button" onclick="switchState('d1e29683_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29683_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.2_Ensure_nodev_option_set_on_tmp_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.314Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965841"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965841"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965841" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp may exists and all have at least one partition option equals 'nodev' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29683_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e2724_xml_button" onclick="switchStateML('d1e2724_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2724_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2724_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e2719_xml_button" onclick="switchStateML('d1e2719_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2719_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2719_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2529" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29718" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.2.3_Ensure_noexec_option_set_on_tmp_partition">1.1.2.3 Ensure noexec option set on /tmp partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">noexec</span> | |
| mount option specifies that the filesystem cannot contain executable binaries. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/tmp</span> | |
| filesystem is only intended for temporary file storage, set this option to ensure | |
| that users cannot run executable binaries from | |
| <span class="inline_block">/tmp</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| Edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">noexec</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/tmp</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/tmp</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /tmp | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29718" class="check"> | |
| <div><span class="action" id="d1e29718_evidence_button" onclick="switchState('d1e29718_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29718_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965842"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965842" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29718_xml_result_button" onclick="switchState('d1e29718_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29718_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.3_Ensure_noexec_option_set_on_tmp_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.315Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965842"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965842"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965842" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29718_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e2785_xml_button" onclick="switchStateML('d1e2785_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2785_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2785_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e2780_xml_button" onclick="switchStateML('d1e2780_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2780_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2780_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2529" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29753" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition">1.1.2.4 Ensure nosuid option set on /tmp partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">nosuid</span> | |
| mount option specifies that the filesystem cannot contain | |
| <span class="inline_block">setuid</span> | |
| files. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/tmp</span> | |
| filesystem is only intended for temporary file storage, set this option to ensure | |
| that users cannot create | |
| <span class="inline_block">setuid</span> | |
| files in | |
| <span class="inline_block">/tmp</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| Edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">nosuid</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/tmp</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/tmp</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /tmp | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29753" class="check"> | |
| <div><span class="action" id="d1e29753_evidence_button" onclick="switchState('d1e29753_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29753_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894362"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2894362" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp may exists and all have at least one partition option equals | |
| 'nosuid' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29753_xml_result_button" onclick="switchState('d1e29753_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29753_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2.4_Ensure_nosuid_option_set_on_tmp_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.315Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894362"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894362"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2894362" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /tmp may exists and all have at least one partition option equals 'nosuid' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29753_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e2849_xml_button" onclick="switchStateML('d1e2849_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2849_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2849_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e2844_xml_button" onclick="switchStateML('d1e2844_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2844_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2844_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2529" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e2896" class="group"> | |
| <h2 class="ruleGroupTitle" title="xccdf_org.cisecurity.benchmarks_group_1.1.3_Configure_var">1.1.3 Configure /var</h2> | |
| <div class="description"> | |
| <p> | |
| The <span class="inline_block">/var</span> | |
| directory is used by daemons and other system services to temporarily store dynamic | |
| data. Some directories created by these processes may be world-writable. | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29788" class="Rule resultRow"><span class="outcome fail ruleResultArea">Fail</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.3.1_Ensure_separate_partition_exists_for_var">1.1.3.1 Ensure separate partition exists for /var</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">/var</span> | |
| directory is used by daemons and other system services to temporarily store dynamic | |
| data. Some directories created by these processes may be world-writable. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| The reasoning for mounting | |
| <span class="inline_block">/var</span> | |
| on a separate partition is as follow. | |
| </p> | |
| <h4>Protection from resource exhaustion</h4> | |
| <p> | |
| The default installation only creates a single | |
| <span class="inline_block">/</span> | |
| partition. Since the | |
| <span class="inline_block">/var</span> | |
| directory may contain world-writable files and directories, there is a risk of resource | |
| exhaustion. It will essentially have the whole disk available to fill up and impact | |
| the system as a whole. In addition, other operations on the system could fill up the | |
| disk unrelated to | |
| <span class="inline_block">/var</span> | |
| and cause unintended behavior across the system as the disk is full. See | |
| <span class="inline_block">man auditd.conf</span> | |
| for details. | |
| </p> | |
| <h4>Fine grained control over the mount</h4> | |
| <p> | |
| Configuring | |
| <span class="inline_block">/var</span> | |
| as its own file system allows an administrator to set additional mount options such | |
| as | |
| <span class="inline_block">noexec/nosuid/nodev</span> | |
| . These options limits an attackers ability to create exploits on the system. Other | |
| options allow for specific behaviour. See | |
| <span class="inline_block">man mount</span> | |
| for exact details regarding filesystem-independent and filesystem-specific options. | |
| </p> | |
| <h4>Protection from exploitation</h4> | |
| <p> | |
| An example of exploiting | |
| <span class="inline_block">/var</span> | |
| may be an attacker establishing a hard-link to a system | |
| <span class="inline_block">setuid</span> | |
| program and wait for it to be updated. Once the program was updated, the hard-link | |
| would be broken and the attacker would have his own copy of the program. If the program | |
| happened to have a security vulnerability, the attacker could continue to exploit | |
| the known flaw. | |
| </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| For new installations, during installation create a custom partition setup and specify | |
| a separate partition for | |
| <span class="inline_block">/var</span> | |
| . | |
| </p> | |
| <p> | |
| For systems that were previously installed, create a new partition and configure | |
| <span class="inline_block">/etc/fstab</span> | |
| as appropriate. | |
| </p> | |
| <p class="bold">Impact:</p> | |
| <p> | |
| <p>Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem | |
| partitions may prevent successful resizing, or may require the installation of additional | |
| tools solely for the purpose of resizing operations. The use of these additional tools | |
| may introduce their own security considerations.</p> | |
| </p> | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29788" class="check"> | |
| <div><span class="action" id="d1e29788_evidence_button" onclick="switchState('d1e29788_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29788_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894363"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2894363" check="all" check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29788_xml_result_button" onclick="switchState('d1e29788_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29788_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.1_Ensure_separate_partition_exists_for_var" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.316Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>fail</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894363"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2894363"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2894363" | |
| check="all" | |
| check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29788_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e2922_xml_button" onclick="switchStateML('d1e2922_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2922_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2922_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e2917_xml_button" onclick="switchStateML('d1e2917_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e2917_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e2917_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2896" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29823" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.3.2_Ensure_nodev_option_set_on_var_partition">1.1.3.2 Ensure nodev option set on /var partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">nodev</span> | |
| mount option specifies that the filesystem cannot contain special devices. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/var</span> | |
| filesystem is not intended to support devices, set this option to ensure that users | |
| cannot create a block or character special devices in | |
| <span class="inline_block">/var</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p><strong>IF</strong> | |
| the | |
| <span class="inline_block">/var</span> | |
| partition exists, edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">nodev</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/var</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/var</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /var | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29823" class="check"> | |
| <div><span class="action" id="d1e29823_evidence_button" onclick="switchState('d1e29823_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29823_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965844"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965844" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var may exists and all have at least one partition option equals | |
| 'nodev' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29823_xml_result_button" onclick="switchState('d1e29823_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29823_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.2_Ensure_nodev_option_set_on_var_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.316Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965844"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965844"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965844" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var may exists and all have at least one partition option equals 'nodev' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29823_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e3015_xml_button" onclick="switchStateML('d1e3015_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3015_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3015_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e3010_xml_button" onclick="switchStateML('d1e3010_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3010_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3010_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2896" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29859" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.3.3_Ensure_nosuid_option_set_on_var_partition">1.1.3.3 Ensure nosuid option set on /var partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">nosuid</span> | |
| mount option specifies that the filesystem cannot contain | |
| <span class="inline_block">setuid</span> | |
| files. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/var</span> | |
| filesystem is only intended for variable files such as logs, set this option to ensure | |
| that users cannot create | |
| <span class="inline_block">setuid</span> | |
| files in | |
| <span class="inline_block">/var</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p><strong>IF</strong> | |
| the | |
| <span class="inline_block">/var</span> | |
| partition exists, edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">nosuid</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/var</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /var <fstype> defaults,rw,nosuid,nodev,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/var</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /var | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29859" class="check"> | |
| <div><span class="action" id="d1e29859_evidence_button" onclick="switchState('d1e29859_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29859_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965846"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965846" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29859_xml_result_button" onclick="switchState('d1e29859_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29859_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3.3_Ensure_nosuid_option_set_on_var_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.317Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965846"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965846"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965846" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29859_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e3083_xml_button" onclick="switchStateML('d1e3083_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3083_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3083_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e3078_xml_button" onclick="switchStateML('d1e3078_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3078_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3078_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e2896" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e3134" class="group"> | |
| <h2 class="ruleGroupTitle" title="xccdf_org.cisecurity.benchmarks_group_1.1.4_Configure_vartmp">1.1.4 Configure /var/tmp</h2> | |
| <div class="description"> | |
| <p> | |
| The <span class="inline_block">/var/tmp</span> | |
| directory is a world-writable directory used for temporary storage by all users and | |
| some applications. Temporary files residing in | |
| <span class="inline_block">/var/tmp</span> | |
| are to be preserved between reboots. | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29894" class="Rule resultRow"><span class="outcome fail ruleResultArea">Fail</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.4.1_Ensure_separate_partition_exists_for_vartmp">1.1.4.1 Ensure separate partition exists for /var/tmp</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">/var/tmp</span> | |
| directory is a world-writable directory used for temporary storage by all users and | |
| some applications. Temporary files residing in | |
| <span class="inline_block">/var/tmp</span> | |
| are to be preserved between reboots. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| The reasoning for mounting | |
| <span class="inline_block">/var/tmp</span> | |
| on a separate partition is as follows. | |
| </p> | |
| <h4>Protection from resource exhaustion</h4> | |
| <p> | |
| The default installation only creates a single | |
| <span class="inline_block">/</span> | |
| partition. Since the | |
| <span class="inline_block">/var/tmp</span> | |
| directory may contain world-writable files and directories, there is a risk of resource | |
| exhaustion. It will essentially have the whole disk available to fill up and impact | |
| the system as a whole. In addition, other operations on the system could fill up the | |
| disk unrelated to | |
| <span class="inline_block">/var/tmp</span> | |
| and cause the potential disruption to daemons as the disk is full. | |
| </p> | |
| <h4>Fine grained control over the mount</h4> | |
| <p> | |
| Configuring | |
| <span class="inline_block">/var/tmp</span> | |
| as its own file system allows an administrator to set additional mount options such | |
| as | |
| <span class="inline_block">noexec/nosuid/nodev</span> | |
| . These options limits an attackers ability to create exploits on the system. Other | |
| options allow for specific behavior. See | |
| <span class="inline_block">man mount</span> | |
| for exact details regarding filesystem-independent and filesystem-specific options. | |
| </p> | |
| <h4>Protection from exploitation</h4> | |
| <p> | |
| An example of exploiting | |
| <span class="inline_block">/var/tmp</span> | |
| may be an attacker establishing a hard-link to a system | |
| <span class="inline_block">setuid</span> | |
| program and wait for it to be updated. Once the program was updated, the hard-link | |
| would be broken and the attacker would have his own copy of the program. If the program | |
| happened to have a security vulnerability, the attacker could continue to exploit | |
| the known flaw. | |
| </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| For new installations, during installation create a custom partition setup and specify | |
| a separate partition for | |
| <span class="inline_block">/var/tmp</span> | |
| . | |
| </p> | |
| <p> | |
| For systems that were previously installed, create a new partition and configure | |
| <span class="inline_block">/etc/fstab</span> | |
| as appropriate. | |
| </p> | |
| <p class="bold">Impact:</p> | |
| <p> | |
| <p>Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem | |
| partitions may prevent successful resizing, or may require the installation of additional | |
| tools solely for the purpose of resizing operations. The use of these additional tools | |
| may introduce their own security considerations.</p> | |
| </p> | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29894" class="check"> | |
| <div><span class="action" id="d1e29894_evidence_button" onclick="switchState('d1e29894_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29894_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2994932"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2994932" check="all" check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29894_xml_result_button" onclick="switchState('d1e29894_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29894_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.1_Ensure_separate_partition_exists_for_vartmp" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.317Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>fail</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2994932"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2994932"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2994932" | |
| check="all" | |
| check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29894_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e3166_xml_button" onclick="switchStateML('d1e3166_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3166_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3166_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e3161_xml_button" onclick="switchStateML('d1e3161_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3161_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3161_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e3134" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29929" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition">1.1.4.2 Ensure noexec option set on /var/tmp partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">noexec</span> | |
| mount option specifies that the filesystem cannot contain executable binaries. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/var/tmp</span> | |
| filesystem is only intended for temporary file storage, set this option to ensure | |
| that users cannot run executable binaries from | |
| <span class="inline_block">/var/tmp</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p><strong>IF</strong> | |
| the | |
| <span class="inline_block">/var/tmp</span> | |
| partition exists, edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">noexec</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/var/tmp</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/var/tmp</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /var/tmp | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29929" class="check"> | |
| <div><span class="action" id="d1e29929_evidence_button" onclick="switchState('d1e29929_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29929_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965847"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965847" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29929_xml_result_button" onclick="switchState('d1e29929_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29929_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.2_Ensure_noexec_option_set_on_vartmp_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.317Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965847"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965847"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965847" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29929_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e3256_xml_button" onclick="switchStateML('d1e3256_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3256_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3256_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e3251_xml_button" onclick="switchStateML('d1e3251_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3251_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3251_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e3134" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29964" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition">1.1.4.3 Ensure nosuid option set on /var/tmp partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">nosuid</span> | |
| mount option specifies that the filesystem cannot contain | |
| <span class="inline_block">setuid</span> | |
| files. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/var/tmp</span> | |
| filesystem is only intended for temporary file storage, set this option to ensure | |
| that users cannot create | |
| <span class="inline_block">setuid</span> | |
| files in | |
| <span class="inline_block">/var/tmp</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p><strong>IF</strong> | |
| the | |
| <span class="inline_block">/var/tmp</span> | |
| partition exists, edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">nosuid</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/var/tmp</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/var/tmp</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /var/tmp | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29964" class="check"> | |
| <div><span class="action" id="d1e29964_evidence_button" onclick="switchState('d1e29964_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29964_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965848"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965848" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29964_xml_result_button" onclick="switchState('d1e29964_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29964_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.3_Ensure_nosuid_option_set_on_vartmp_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.321Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965848"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965848"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965848" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29964_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e3324_xml_button" onclick="switchStateML('d1e3324_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3324_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3324_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e3319_xml_button" onclick="switchStateML('d1e3319_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3319_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3319_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e3134" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e29999" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition">1.1.4.4 Ensure nodev option set on /var/tmp partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">nodev</span> | |
| mount option specifies that the filesystem cannot contain special devices. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/var/tmp</span> | |
| filesystem is not intended to support devices, set this option to ensure that users | |
| cannot create a block or character special devices in | |
| <span class="inline_block">/var/tmp</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p><strong>IF</strong> | |
| the | |
| <span class="inline_block">/var/tmp</span> | |
| partition exists, edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">nodev</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/var/tmp</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /var/tmp <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/var/tmp</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /var/tmp | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e29999" class="check"> | |
| <div><span class="action" id="d1e29999_evidence_button" onclick="switchState('d1e29999_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e29999_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965849"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965849" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e29999_xml_result_button" onclick="switchState('d1e29999_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e29999_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4.4_Ensure_nodev_option_set_on_vartmp_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.322Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965849"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965849"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965849" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/tmp may exists{else}exists and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e29999_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e3392_xml_button" onclick="switchStateML('d1e3392_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3392_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3392_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e3387_xml_button" onclick="switchStateML('d1e3387_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3387_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3387_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e3134" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e3440" class="group"> | |
| <h2 class="ruleGroupTitle" title="xccdf_org.cisecurity.benchmarks_group_1.1.5_Configure_varlog">1.1.5 Configure /var/log</h2> | |
| <div class="description"> | |
| <p> | |
| The <span class="inline_block">/var/log</span> | |
| directory is used by system services to store log data. | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e30034" class="Rule resultRow"><span class="outcome fail ruleResultArea">Fail</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.5.1_Ensure_separate_partition_exists_for_varlog">1.1.5.1 Ensure separate partition exists for /var/log</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">/var/log</span> | |
| directory is used by system services to store log data. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| The reasoning for mounting | |
| <span class="inline_block">/var/log</span> | |
| on a separate partition is as follows. | |
| </p> | |
| <h4>Protection from resource exhaustion</h4> | |
| <p> | |
| The default installation only creates a single | |
| <span class="inline_block">/</span> | |
| partition. Since the | |
| <span class="inline_block">/var/log</span> | |
| directory contains log files which can grow quite large, there is a risk of resource | |
| exhaustion. It will essentially have the whole disk available to fill up and impact | |
| the system as a whole. | |
| </p> | |
| <h4>Fine grained control over the mount</h4> | |
| <p> | |
| Configuring | |
| <span class="inline_block">/var/log</span> | |
| as its own file system allows an administrator to set additional mount options such | |
| as | |
| <span class="inline_block">noexec/nosuid/nodev</span> | |
| . These options limits an attackers ability to create exploits on the system. Other | |
| options allow for specific behavior. See | |
| <span class="inline_block">man mount</span> | |
| for exact details regarding filesystem-independent and filesystem-specific options. | |
| </p> | |
| <h4>Protection of log data</h4> | |
| <p> | |
| As | |
| <span class="inline_block">/var/log</span> | |
| contains log files, care should be taken to ensure the security and integrity of the | |
| data and mount point. | |
| </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p> | |
| For new installations, during installation create a custom partition setup and specify | |
| a separate partition for | |
| <span class="inline_block">/var/log</span> | |
| . | |
| </p> | |
| <p> | |
| For systems that were previously installed, create a new partition and configure | |
| <span class="inline_block">/etc/fstab</span> | |
| as appropriate. | |
| </p> | |
| <p class="bold">Impact:</p> | |
| <p> | |
| <p>Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem | |
| partitions may prevent successful resizing, or may require the installation of additional | |
| tools solely for the purpose of resizing operations. The use of these additional tools | |
| may introduce their own security considerations.</p> | |
| </p> | |
| </p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e30034" class="check"> | |
| <div><span class="action" id="d1e30034_evidence_button" onclick="switchState('d1e30034_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e30034_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2994933"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2994933" check="all" check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/log and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e30034_xml_result_button" onclick="switchState('d1e30034_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e30034_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.1_Ensure_separate_partition_exists_for_varlog" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.323Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>fail</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/6/subcontrol/4" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/8/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2994933"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2994933"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2994933" | |
| check="all" | |
| check_existence="at_least_one_exists"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/log and all</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>At Least One Exists</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="fail">Fail</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e30034_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 6: Maintenance, Monitoring and Analysis of Audit Logs: </b> -- <span class="cce-action" id="d1e3466_xml_button" onclick="switchStateML('d1e3466_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3466_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Collect, manage and analyze audit logs of events that could help detect, understand, | |
| or recover from an attack.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">6.4</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Ensure adequate storage for logs</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Ensure that all systems that store logs have adequate storage space for the logs generated.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3466_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 8: Audit Log Management: </b> -- <span class="cce-action" id="d1e3461_xml_button" onclick="switchStateML('d1e3461_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3461_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Collect, alert, review, and retain audit logs of events that could help detect, understand, | |
| or recover from an attack.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">8.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Ensure Adequate Audit Log Storage</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Ensure that logging destinations maintain adequate storage to comply with the enterprise's | |
| audit log management process.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3461_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e3440" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e30069" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.5.2_Ensure_nodev_option_set_on_varlog_partition">1.1.5.2 Ensure nodev option set on /var/log partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">nodev</span> | |
| mount option specifies that the filesystem cannot contain special devices. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/var/log</span> | |
| filesystem is not intended to support devices, set this option to ensure that users | |
| cannot create a block or character special devices in | |
| <span class="inline_block">/var/log</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p><strong>IF</strong> | |
| the | |
| <span class="inline_block">/var/log</span> | |
| partition exists, edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">nodev</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/var/log</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/var/log</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /var/log | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e30069" class="check"> | |
| <div><span class="action" id="d1e30069_evidence_button" onclick="switchState('d1e30069_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e30069_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" xmlns:cc8="http://cisecurity.org/20-cc/v8.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" class="definition" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965850"> | |
| <div class="criteria"> | |
| <div class="criterion" id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965850" check="all" check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/log may exists and all have at least one partition option | |
| equals 'nodev' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div><br></br><div><span class="action" id="d1e30069_xml_result_button" onclick="switchState('d1e30069_xml_result'); return false;">Show</span><span class="caption"> Rule Result XML</span></div> | |
| <div class="xml" id="d1e30069_xml_result"> | |
| <pre><xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:notes="http://benchmarks.cisecurity.org/notes" | |
| xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" | |
| xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" | |
| xmlns:cc7="http://cisecurity.org/20-cc/v7.0" | |
| xmlns:cc6="http://cisecurity.org/20-cc/v6.1" | |
| xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:cc8="http://cisecurity.org/20-cc/v8.0" | |
| xmlns="http://checklists.nist.gov/xccdf/1.2" | |
| xmlns:xhtml="http://www.w3.org/1999/xhtml" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2" | |
| xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" | |
| xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2" | |
| xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1" | |
| idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5.2_Ensure_nodev_option_set_on_varlog_partition" | |
| role="full" | |
| severity="unknown" | |
| time="2022-10-10T08:12:38.323Z" | |
| version="1" | |
| weight="1.0"> | |
| <xccdf:result>pass</xccdf:result> | |
| <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/14/subcontrol/6" | |
| system="http://cisecurity.org/20-cc/v7.0"/> | |
| <xccdf:ident cc8:controlURI="http://cisecurity.org/20-cc/v8.0/control/3/subcontrol/3" | |
| system="http://cisecurity.org/20-cc/v8.0"/> | |
| <xccdf:ident system="URL">See the fstab(5) manual page for more information.</xccdf:ident> | |
| <xccdf:complex-check operator="AND" negate="false"> | |
| <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
| negate="false" | |
| multi-check="false"> | |
| <xccdf:check-content-ref href="#OVAL-Results-1" | |
| name="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965850"/> | |
| <evidence xmlns="http://cisecurity.org/evidence"> | |
| <div class="definition" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:def:2965850"> | |
| <div class="criteria"> | |
| <div class="criterion" | |
| id="oval:org.cisecurity.benchmarks.debian_debian_linux_11:tst:2965850" | |
| check="all" | |
| check_existence="any_exist"> | |
| <table class="evidence-sep" width="100%"> | |
| <tbody class="tbe"> | |
| <tr> | |
| <td class="bold">Criterion:</td> | |
| <td>Ensure partition at /var/log may exists and all have at least one partition option equals 'nodev' (string)</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Existence Check:</td> | |
| <td>Any Exist</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Item Check:</td> | |
| <td>All</td> | |
| </tr> | |
| <tr> | |
| <td class="bold">Result:</td> | |
| <td class="pass">Pass</td> | |
| </tr> | |
| </tbody> | |
| </table> | |
| <table class="evidence" width="100%"> | |
| <tr> | |
| <td>No matching system items were found.</td> | |
| </tr> | |
| </table> | |
| </div> | |
| </div> | |
| </div> | |
| </evidence> | |
| </xccdf:check> | |
| </xccdf:complex-check> | |
| </xccdf:rule-result> | |
| </pre> | |
| </div><script type="text/javascript">setState('d1e30069_xml_result', false);</script><div class="reference"> | |
| <p><span title="0"><span class="bold">References: </span></span><ul class="referenceList"> | |
| <li><span class="bold">URL: </span>See the fstab(5) manual page for more information.</li> | |
| </ul> | |
| </p> | |
| </div> | |
| <p><span title="0"><span class="bold">CIS Controls V7.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 14: Controlled Access Based on the Need to Know: </b> -- <span class="cce-action" id="d1e3550_xml_button" onclick="switchStateML('d1e3550_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3550_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">The processes and tools used to track/control/prevent/correct secure access to critical | |
| assets (e.g., information, resources, systems) according to the formal determination | |
| of which persons, computers, and applications have a need and right to access these | |
| critical assets based on an approved classification.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Subcontrol:</td> | |
| <td width="80%">14.6</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Protect Information through Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Protect all information stored on systems with file system, network share, claims, | |
| application, or database specific access control lists. These controls will enforce | |
| the principle that only authorized individuals should have access to the information | |
| based on their need to access the information as a part of their responsibilities.</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3550_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <p><span title="0"><span class="bold">CIS Critical Security Controls V8.0: </span></span><ul class="referenceList"> | |
| <li><b>Control 3: Data Protection: </b> -- <span class="cce-action" id="d1e3545_xml_button" onclick="switchStateML('d1e3545_xml'); return false;">More</span><div class="cceevidence rule-xml" id="d1e3545_xml"> | |
| <table class="enum" width="100%"> | |
| <thead> | |
| <tr> | |
| <th colspan="2">CIS Control Information</th> | |
| </tr> | |
| </thead> | |
| <tr> | |
| <td class="enum_name" width="20%">Control:</td> | |
| <td width="80%">Develop processes and technical controls to identify, classify, securely handle, retain, | |
| and dispose of data.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Safeguard:</td> | |
| <td width="80%">3.3</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Label:</td> | |
| <td width="80%">Configure Data Access Control Lists</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Description:</td> | |
| <td width="80%">Configure data access control lists based on a user's need to know. Apply data access | |
| control lists, also known as access permissions, to local and remote file systems, | |
| databases, and applications.</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Implementation Group:</td> | |
| <td width="80%">IG-1</td> | |
| </tr> | |
| <tr> | |
| <td class="enum_name" width="20%">Security Function:</td> | |
| <td width="80%">Protect</td> | |
| </tr> | |
| </table> | |
| </div><script type="text/javascript">setStateML('d1e3545_xml', false);</script></li>> | |
| </ul> | |
| </p> | |
| <div class="backtop"><a href="#summary-d1e3440" title="back to summary">Back to Summary</a></div> | |
| </div> | |
| <div id="detail-d1e30104" class="Rule nonFailureArea visible"><span class="outcome pass ruleResultArea">Pass</span><h3 class="ruleTitle" title="xccdf_org.cisecurity.benchmarks_rule_1.1.5.3_Ensure_noexec_option_set_on_varlog_partition">1.1.5.3 Ensure noexec option set on /var/log partition</h3> | |
| <div class="description"> | |
| <div class="bold">Description:</div> | |
| <p> | |
| The | |
| <span class="inline_block">noexec</span> | |
| mount option specifies that the filesystem cannot contain executable binaries. | |
| </p> | |
| </div> | |
| <div class="rationale"> | |
| <p> | |
| Since the | |
| <span class="inline_block">/var/log</span> | |
| filesystem is only intended for log files, set this option to ensure that users cannot | |
| run executable binaries from | |
| <span class="inline_block">/var/log</span> | |
| . </p> | |
| </div> | |
| <div class="fixtext"> | |
| <div> | |
| <p> | |
| <p><strong>IF</strong> | |
| the | |
| <span class="inline_block">/var/log</span> | |
| partition exists, edit the | |
| <span class="inline_block">/etc/fstab</span> | |
| file and add | |
| <span class="inline_block">noexec</span> | |
| to the fourth field (mounting options) for the | |
| <span class="inline_block">/var/log</span> | |
| partition. | |
| </p> | |
| <p>Example:</p><code class="code_block"><device> /var/log <fstype> defaults,rw,nosuid,nodev,noexec,relatime 0 0 | |
| </code><p> | |
| Run the following command to remount | |
| <span class="inline_block">/var/log</span> | |
| with the configured options: | |
| </p><code class="code_block"># mount -o remount /var/log | |
| </code></p> | |
| </div> | |
| </div> | |
| <div id="detail-d1e30104" class="check"> | |
| <div><span class="action" id="d1e30104_evidence_button" onclick="switchState('d1e30104_evidence'); return false;">Show</span><span class="caption"> Assessment Evidence</span></div> | |
| <div class="xml" id="d1e30104_evidence"> | |
| <table class="evidence-sep" width="100%"> | |
| <caption class="bold">Complex Check</caption> | |
| <tr> | |
| <td class="bold" width="5%">AND</td> | |
| <td width="95%"> | |
| <div xmlns="http://cisecurity.org/evidence" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:ciscf="https://benchmarks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment