From 07a363f1cb759c087e1b2d95e1fa6268030ff064 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 3 Sep 2019 22:23:27 +0800 Subject: [PATCH 01/34] Update how_to_creating_and_making_an_AMI_public.mk --- .../AMI/how_to_creating_and_making_an_AMI_public.mkd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index 56b72fb..6fff1e6 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -48,10 +48,11 @@ admin@ip:/opt/harbian-audit-master# passwd admin ``` admin@ip:/opt/harbian-audit-master$ sudo cp debian/default /etc/default/cis-hardening admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.7_remove_nopasswd_sudoers.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply admin@ip:/opt/harbian-audit-master$ sudo sed -i "/^root/a\admin ALL=(ALL:ALL) ALL" /etc/sudoers admin@ip:/opt/harbian-audit-master$ sudo reboot From c31073eb1e35a2c8f93d72e5d513d2368c030c87 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 4 Sep 2019 02:03:53 +0800 Subject: [PATCH 02/34] Update how_to_creating_and_making_an_AMI_public.mkd and remove duplicate check for /var/log/sudo.log --- bin/hardening/8.1.16_record_sudo_usage.sh | 26 ++++--------------- ...w_to_creating_and_making_an_AMI_public.mkd | 2 +- 2 files changed, 6 insertions(+), 22 deletions(-) diff --git a/bin/hardening/8.1.16_record_sudo_usage.sh b/bin/hardening/8.1.16_record_sudo_usage.sh index 7c588aa..66e6f80 100755 --- a/bin/hardening/8.1.16_record_sudo_usage.sh +++ b/bin/hardening/8.1.16_record_sudo_usage.sh @@ -14,7 +14,6 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -SUDOLOG='/var/log/sudo.log' AUDIT_VALUE='-w /var/log/sudo.log -p wa -k sudoaction' FILE='/etc/audit/rules.d/audit.rules' @@ -23,18 +22,12 @@ audit () { # define custom IFS and save default one d_IFS=$IFS IFS=$'\n' - if [ -f $SUDOLOG ]; then - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - FNRET=2 - else - ok "$AUDIT_VALUE is present in $FILE" - fi - else - crit "file $SUDOLOG is not exist!" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" FNRET=1 + else + ok "$AUDIT_VALUE is present in $FILE" fi IFS=$d_IFS } @@ -45,15 +38,6 @@ apply () { d_IFS=$IFS IFS=$'\n' if [ $FNRET = 1 ]; then - warn "file $SUDOLOG is not exist! Set default logfile path in /etc/sudoers." - sed -i '$aDefaults logfile="/var/log/sudo.log"' /etc/sudoers - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - fi - elif [ $FNRET = 2 ]; then warn "$AUDIT_VALUE is not in file $FILE, adding it" add_end_of_file $FILE $AUDIT_VALUE check_auditd_is_immutable_mode diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index 6fff1e6..8d29d52 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -59,7 +59,7 @@ admin@ip:/opt/harbian-audit-master$ sudo reboot ``` After reboot: ``` -admin@ip:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh +admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh admin@ip:/opt/harbian-audit-master$ sudo -s admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 From 10fb74a7445bf806fe3796d4ef3db5d9a5f83895 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Thu, 5 Sep 2019 18:07:19 +0800 Subject: [PATCH 03/34] Fix bug of 2.1 --- bin/hardening/2.1_tmp_partition.sh | 52 +++++++++++++++++++----------- lib/utils.sh | 18 ++++++++++- 2 files changed, 50 insertions(+), 20 deletions(-) diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index f062691..6f38206 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -16,7 +16,10 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" -TMPMOUNTNAME="tmp.mount" +SERVICENAME="tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" +REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -36,19 +39,12 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ $(systemctl | grep -c "tmp.mount[[:space:]]*loaded[[:space:]]active[[:space:]]mounted") -eq 1 ]; then - ok "$TMPMOUNTNAME service is active!" - is_mounted "$PARTITION" - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted" - FNRET=3 - else - ok "$PARTITION is mounted" - FNRET=0 - fi + is_service_active $SERVICENAME + if [ $FNRET -eq 0 ]; then + ok "$SERVICENAME service is active!" else - crit "$TMPMOUNTNAME service is not active!" - FNRET=4 + crit "$SERVICENAME service is inactive!" + FNRET=3 fi fi } @@ -63,12 +59,30 @@ apply () { warn "mounting $PARTITION" mount $PARTITION elif [ $FNRET = 3 ]; then - $SUDO_CMD systemctl daemon-reload - $SUDO_CMD systemctl start "$TMPMOUNTNAME" - elif [ $FNRET = 4 ]; then - $SUDO_CMD systemctl enable "$TMPMOUNTNAME" - $SUDO_CMD systemctl daemon-reload - $SUDO_CMD systemctl start "$TMPMOUNTNAME" + if [ $OS_RELEASE -eq 1 ]; then + if [ -e $DEBIAN_SERVICEPATH ]; then + $SUDO_CMD systemctl enable "$SERVICENAME" + $SUDO_CMD systemctl daemon-reload + $SUDO_CMD systemctl start "$SERVICENAME" + else + if [ -e $SERVICEPATH_DEBIAN ]; then + cp $SERVICEPATH_DEBIAN $DEBIAN_SERVICEPATH + $SUDO_CMD systemctl enable "$SERVICENAME" + $SUDO_CMD systemctl daemon-reload + $SUDO_CMD systemctl start "$SERVICENAME" + else + crit "System unit file $DEBIAN_SERVICEPATH is not exist!" + fi + fi + elif [ $OS_RELEASE -eq 2 ]; then + if [ -e $REDHAT_SERVICEPATH ]; then + $SUDO_CMD systemctl enable "$SERVICENAME" + $SUDO_CMD systemctl daemon-reload + $SUDO_CMD systemctl start "$SERVICENAME" + else + crit "System unit file $REDHAT_SERVICEPATH is not exist!" + fi + fi fi } diff --git a/lib/utils.sh b/lib/utils.sh index 647bda3..75dadd4 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -5,6 +5,22 @@ # debian version check # +is_debian_ge_9() +{ + if [ -r /etc/debian_version ]; then + if [ $(cat /etc/debian_version | awk -F"." '{print $1}') -ge 9 ]; then + debug "Debian version is greater than or equal to 9" + FNRET=0 + else + debug "Debian version is less than 9" + FNRET=1 + fi + else + debug "Current OS is not Debian." + FNRET=2 + fi +} + is_debian_9() { if [ -r /etc/debian_version ]; then @@ -254,7 +270,7 @@ is_service_active() { if [ $OS_RELEASE -eq 2 ]; then FNRET=0 else - is_debian_9 + is_debian_ge_9 fi if [ $FNRET = 0 ]; then if [ $(systemctl is-active $SERVICE | grep -c "^active") -eq 1 ]; then From 74c2984631dec059b984b066edc93fb102bcfc2c Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 6 Sep 2019 04:55:26 +0800 Subject: [PATCH 04/34] Fix some bugs for 2.1 2.3 --- bin/hardening/2.1_tmp_partition.sh | 2 +- bin/hardening/2.3_tmp_nosuid.sh | 76 ++++++++++++++++++------------ 2 files changed, 47 insertions(+), 31 deletions(-) diff --git a/bin/hardening/2.1_tmp_partition.sh b/bin/hardening/2.1_tmp_partition.sh index 6f38206..499d273 100755 --- a/bin/hardening/2.1_tmp_partition.sh +++ b/bin/hardening/2.1_tmp_partition.sh @@ -80,7 +80,7 @@ apply () { $SUDO_CMD systemctl daemon-reload $SUDO_CMD systemctl start "$SERVICENAME" else - crit "System unit file $REDHAT_SERVICEPATH is not exist!" + crit "System unit file $REDHAT_SERVICEPATH is not exist!" fi fi fi diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index e41e267..4c88b99 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -17,9 +17,10 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="nosuid" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -45,36 +46,51 @@ audit () { FNRET=1 fi else - warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" + if [ $OS_RELEASE -eq 1 ]; then + if [ -e $DEBIAN_SERVICEPATH ]; then + has_mount_option_systemd $DEBIAN_SERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi + fi else - has_mount_option_systemd $SERVICEPATH $OPTION + crit "$DEBIAN_SERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" + elif [ $OS_RELEASE -eq 2 ]; then + if [ -e $REDHAT_SERVICEPATH ]; then + has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi + fi else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + crit "$REDHAT_SERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi + fi } # This function will be called if the script status is on enabled mode @@ -82,7 +98,7 @@ apply () { if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $SERVICENAME is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -98,7 +114,7 @@ apply () { if [ $OS_RELEASE -eq 2 ]; then add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME + add_option_to_systemd $DEBIAN_SERVICEPATH $OPTION $SERVICENAME fi remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then From 92a96e8dc362e71424a3353ac4585f1142f92e0b Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 6 Sep 2019 15:57:49 +0800 Subject: [PATCH 05/34] Optimize the code of 2.2~2.4 --- bin/hardening/2.2_tmp_nodev.sh | 59 ++++++++++++++--------------- bin/hardening/2.3_tmp_nosuid.sh | 67 ++++++++++++--------------------- bin/hardening/2.4_tmp_noexec.sh | 67 ++++++++++++++++----------------- 3 files changed, 87 insertions(+), 106 deletions(-) diff --git a/bin/hardening/2.2_tmp_nodev.sh b/bin/hardening/2.2_tmp_nodev.sh index eafa7f2..a79d443 100755 --- a/bin/hardening/2.2_tmp_nodev.sh +++ b/bin/hardening/2.2_tmp_nodev.sh @@ -18,8 +18,9 @@ HARDENING_LEVEL=2 PARTITION="/tmp" OPTION="nodev" SERVICENAME="tmp.mount" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -46,43 +47,45 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION - else - has_mount_option_systemd $SERVICEPATH $OPTION - fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" FNRET=5 else ok "$PARTITION mounted with $OPTION" FNRET=0 fi fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" - else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -95,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.3_tmp_nosuid.sh b/bin/hardening/2.3_tmp_nosuid.sh index 4c88b99..e403c7f 100755 --- a/bin/hardening/2.3_tmp_nosuid.sh +++ b/bin/hardening/2.3_tmp_nosuid.sh @@ -48,57 +48,44 @@ audit () { else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" if [ $OS_RELEASE -eq 1 ]; then - if [ -e $DEBIAN_SERVICEPATH ]; then - has_mount_option_systemd $DEBIAN_SERVICEPATH $OPTION - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi - else - crit "$DEBIAN_SERVICEPATH is not exist! Please apply 2.1 first!" - FNRET=2 - fi + UNITSERVICEPATH=$DEBIAN_SERVICEPATH elif [ $OS_RELEASE -eq 2 ]; then - if [ -e $REDHAT_SERVICEPATH ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 + else + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi + ok "$PARTITION mounted with $OPTION" + FNRET=0 fi - else - crit "$REDHAT_SERVICEPATH is not exist! Please apply 2.1 first!" - FNRET=2 fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 fi fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "System unit $SERVICENAME is not exist! Please apply 2.1 first!" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -111,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $DEBIAN_SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" diff --git a/bin/hardening/2.4_tmp_noexec.sh b/bin/hardening/2.4_tmp_noexec.sh index 52f16cb..618d75a 100755 --- a/bin/hardening/2.4_tmp_noexec.sh +++ b/bin/hardening/2.4_tmp_noexec.sh @@ -17,9 +17,10 @@ HARDENING_LEVEL=2 # Quick factoring as many script use the same logic PARTITION="/tmp" OPTION="noexec" -SERVICEPATH="/usr/share/systemd/tmp.mount" +SERVICEPATH_DEBIAN="/usr/share/systemd/tmp.mount" SERVICENAME="tmp.mount" REDHAT_SERVICEPATH="/usr/lib/systemd/system/tmp.mount" +DEBIAN_SERVICEPATH="/lib/systemd/system/tmp.mount" # This function will be called if the script status is on enabled / audit mode audit () { @@ -46,43 +47,45 @@ audit () { fi else warn "$PARTITION is not partition in /etc/fstab, check tmp.mount service" - if [ -e $SERVICEPATH -o -e $REDHAT_SERVICEPATH ]; then - if [ $OS_RELEASE -eq 2 ]; then - has_mount_option_systemd $REDHAT_SERVICEPATH $OPTION + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi + if [ -e $UNITSERVICEPATH ]; then + has_mount_option_systemd $UNITSERVICEPATH $OPTION + if [ $FNRET -gt 0 ]; then + crit "$PARTITION has no option $OPTION in systemd service!" + FNRET=3 else - has_mount_option_systemd $SERVICEPATH $OPTION + ok "$PARTITION has $OPTION in systemd service" + has_mounted_option $PARTITION $OPTION + if [ $FNRET -gt 0 ]; then + warn "$PARTITION is not mounted with $OPTION at runtime" + FNRET=5 + else + ok "$PARTITION mounted with $OPTION" + FNRET=0 + fi fi - if [ $FNRET -gt 0 ]; then - crit "$PARTITION has no option $OPTION in systemd service!" - FNRET=3 - else - ok "$PARTITION has $OPTION in systemd service" - has_mounted_option $PARTITION $OPTION - if [ $FNRET -gt 0 ]; then - warn "$PARTITION is not mounted with $OPTION at runtime" - FNRET=5 - else - ok "$PARTITION mounted with $OPTION" - FNRET=0 - fi - fi - else - if [ $OS_RELEASE -eq 2 ]; then - crit "$REDHAT_SERVICEPATH is not exist!" - else - crit "$SERVICEPATH is not exist!" - fi - FNRET=2 - fi - fi + else + crit "$UNITSERVICEPATH is not exist! Please apply 2.1 first!" + FNRET=2 + fi + fi } # This function will be called if the script status is on enabled mode apply () { + if [ $OS_RELEASE -eq 1 ]; then + UNITSERVICEPATH=$DEBIAN_SERVICEPATH + elif [ $OS_RELEASE -eq 2 ]; then + UNITSERVICEPATH=$REDHAT_SERVICEPATH + fi if [ $FNRET = 0 ]; then ok "$PARTITION is correctly set" elif [ $FNRET = 2 ]; then - crit "$PARTITION is not a partition, correct this by yourself, I cannot help you here" + crit "System unit $UNITSERVICEPATH is not exist! Please apply 2.1 first!" elif [ $FNRET = 1 ]; then info "Adding $OPTION to fstab" add_option_to_fstab $PARTITION $OPTION @@ -95,11 +98,7 @@ apply () { fi elif [ $FNRET = 3 ]; then info "Adding $OPTION to systemd" - if [ $OS_RELEASE -eq 2 ]; then - add_option_to_systemd $REDHAT_SERVICEPATH $OPTION $SERVICENAME - else - add_option_to_systemd $SERVICEPATH $OPTION $SERVICENAME - fi + add_option_to_systemd $UNITSERVICEPATH $OPTION $SERVICENAME remount_partition_by_systemd $SERVICENAME $PARTITION elif [ $FNRET = 4 ]; then info "Remounting $PARTITION from fstab" From 515b906c488d8174bd9412bb73fa253f74e35290 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 6 Sep 2019 16:51:56 +0800 Subject: [PATCH 06/34] Fix a bug of 8.1.27: If dir does not exist, an error will be generated when using the find command. --- bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh index 71c594d..9c65662 100755 --- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh +++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh @@ -15,7 +15,7 @@ HARDENING_LEVEL=4 AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F perm=wa -k config_file_change -a always,exit -F path=$(find /etc/ -name auditd.conf) -F perm=wa -k config_file_change --a always,exit -F dir=$(find /etc/audit/ -name rules.d) -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change -a always,exit -F path=$(find /etc/ -name grub) -F perm=wa -k config_file_change -a always,exit -F path=$(find /etc/ -name fstab) -F perm=wa -k config_file_change -a always,exit -F path=$(find /etc/ -name hosts.deny) -F perm=wa -k config_file_change @@ -39,7 +39,7 @@ audit () { for AUDIT_VALUE in $AUDIT_PARAMS; do check_audit_path $AUDIT_VALUE if [ $FNRET -eq 1 ];then - crit "path is not exsit! Please check file path is exist!" + crit "path is not exsit! Please check file path is exist! Rule: $AUDIT_VALUE" continue else debug "$AUDIT_VALUE should be in file $FILE" From 1b8493f0abadeb9a5615b275a2875b4f8067622a Mon Sep 17 00:00:00 2001 From: Samson-W Date: Mon, 9 Sep 2019 18:05:13 +0800 Subject: [PATCH 07/34] Update etc.iptables.rules.v4.sh --- docs/configurations/etc.iptables.rules.v4.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/configurations/etc.iptables.rules.v4.sh b/docs/configurations/etc.iptables.rules.v4.sh index 98827f8..2d7e2b2 100644 --- a/docs/configurations/etc.iptables.rules.v4.sh +++ b/docs/configurations/etc.iptables.rules.v4.sh @@ -1,6 +1,15 @@ #!/bin/bash IPT="/sbin/iptables" - +PUB_IFS="ens33" + +if [ $# -lt 1 ]; then + echo "Must be set to greater than or equal to a public network interface. usage: $0 eth0, or $0 eth0 eth1" + exit 1 +else + PUB_IFS="$@" + echo "Public interface is $PUB_IFS" +fi + echo "Starting IPv4 Wall..." $IPT -F $IPT -X @@ -11,7 +20,6 @@ IPT="/sbin/iptables" $IPT -N LOGDROP modprobe ip_conntrack -PUB_IFS="ens33" #unlimited $IPT -A INPUT -i lo -j ACCEPT From 59d481fd1d9572a9c1aff0be2c7f96013b0bb5dc Mon Sep 17 00:00:00 2001 From: Samson-W Date: Mon, 9 Sep 2019 19:57:49 +0800 Subject: [PATCH 08/34] Update README.md and README-CN.md --- README-CN.md | 12 ++++++++++-- README.md | 15 +++++++++++++-- ...ilter.sh => 8.1.18_record_Events_netfilter.sh} | 0 ...uditd_conf.sh => 8.1.32_freeze_auditd_conf.sh} | 0 .../how_to_creating_and_making_a_QEMU_img.mkd | 9 +++++---- 5 files changed, 28 insertions(+), 8 deletions(-) rename bin/hardening/{8.1.32_record_Events_netfilter.sh => 8.1.18_record_Events_netfilter.sh} (100%) rename bin/hardening/{8.1.18_freeze_auditd_conf.sh => 8.1.32_freeze_auditd_conf.sh} (100%) diff --git a/README-CN.md b/README-CN.md index c4b52d0..0d7d273 100644 --- a/README-CN.md +++ b/README-CN.md @@ -154,14 +154,22 @@ EXCEPTIONS="" 执行如下的命令进行部署: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh +$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` 5) 使用passwd命令改变所有用户的密码,以满足pam_cracklib模块配置的密码复杂度及健壮性。 +6) 必须在第一次修复应用后进行修复的项 +``` +8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。 +``` +7) 必须在所有项都修复应用后进行修复的项 +``` +8.4.1 8.4.2 这都是与aide检测文件完整性相关的项,最好是在所有项都修复好后再进行修复,以修复好的系统中的文件进行完整性的数据库的初始化。 +``` + ## 特别注意 一些检查项需要依赖多次修复,且操作系统需要多次重启。需要进行两次修复的项有: 8.1.1.2 diff --git a/README.md b/README.md index c70294e..02ece24 100644 --- a/README.md +++ b/README.md @@ -169,13 +169,24 @@ Set the corresponding firewall rules according to the applications used. Hardene to do the following: ``` $ INTERFACENAME="your network interfacename(Example eth0)" -$ sed -i "s/PUB_IFS=.*/PUB_IFS=\"$INTERFACENAME\"/g" docs/configurations/etc.iptables.rules.v4.sh -$ sudo bash docs/configurations/etc.iptables.rules.v4.sh +$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` +5) Use the passwd command to change the passwords of all users to apply the password complexity and robustness of the pam_cracklib module configuration. + +6) Items that must be applied after the first application(reboot after is better) +``` +8.1.32 Because this item is set, the audit rules will not be added. +``` + +7) Items that must be applied after all application is ok +``` +8.4.1 8.4.2 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. +``` + ### nft format rules: [nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf) to do the following(your network interfacename(Example eth0)): diff --git a/bin/hardening/8.1.32_record_Events_netfilter.sh b/bin/hardening/8.1.18_record_Events_netfilter.sh similarity index 100% rename from bin/hardening/8.1.32_record_Events_netfilter.sh rename to bin/hardening/8.1.18_record_Events_netfilter.sh diff --git a/bin/hardening/8.1.18_freeze_auditd_conf.sh b/bin/hardening/8.1.32_freeze_auditd_conf.sh similarity index 100% rename from bin/hardening/8.1.18_freeze_auditd_conf.sh rename to bin/hardening/8.1.32_freeze_auditd_conf.sh diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd index 4fadd95..06cf65b 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd @@ -42,14 +42,14 @@ Then follow the wizard to install step by step. ### Pre-Install ``` -root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip +root@harbian:/home/harbian-audit# apt update && apt install -y bc net-tools vim unzip pciutils network-manager ``` ### Get harbian-audit project ``` $ cd /opt root@harbian:/opt# wget https://github.com/hardenedlinux/harbian-audit/archive/master.zip -root@harbian:/opt# sudo unzip master.zip +root@harbian:/opt# unzip master.zip root@harbian:/opt# cd harbian-audit-master/ ``` @@ -59,7 +59,8 @@ root@harbian:/opt# cd harbian-audit-master/ ``` root@harbian:/opt/harbian-audit-master# cp debian/default /etc/default/cis-hardening root@harbian:/opt/harbian-audit-master# sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening -root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all +root@harbian:/opt/harbian-audit-master# bash bin/hardening.sh --init +root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply @@ -84,7 +85,7 @@ $ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/L ### Set grub passwd superusers: harbiansuper -passwd: harbian_AUDIT,12@) +passwd: harbian_AUDIT,09)( Related how to config grub2 password protection, please reference: [how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd) From 660496551b50d47cbd9c14a5c8fae1faf60bfc70 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 10 Sep 2019 04:59:08 +0800 Subject: [PATCH 09/34] Update README.md and README-CN.md --- README-CN.md | 26 +++++++++++++++++++------- README.md | 29 +++++++++++++---------------- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/README-CN.md b/README-CN.md index 0d7d273..aaded34 100644 --- a/README-CN.md +++ b/README-CN.md @@ -151,7 +151,8 @@ EXCEPTIONS="" 4) 设置基本的iptables防火墙规则 根据实现场景进行防火墙规则的配置,可参考HardenedLinux社区归纳的基于Debian GNU/Linux的防火墙规则的基本规则: [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh) -执行如下的命令进行部署: + +基于iptables的部署: ``` $ INTERFACENAME="your network interfacename(Example eth0)" $ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME @@ -159,25 +160,36 @@ $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` +基于nft的部署: +按照以下命令修改nftables.conf(你的对外网口的名称,例如:eth0): +``` +$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf +$ sudo nft -f ./etc.nftables.conf +``` 5) 使用passwd命令改变所有用户的密码,以满足pam_cracklib模块配置的密码复杂度及健壮性。 -6) 必须在第一次修复应用后进行修复的项 +## 特别注意 + +### 必须在第一次修复应用后进行修复的项 ``` 8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。 ``` -7) 必须在所有项都修复应用后进行修复的项 +### 必须在所有项都修复应用后进行修复的项 ``` 8.4.1 8.4.2 这都是与aide检测文件完整性相关的项,最好是在所有项都修复好后再进行修复,以修复好的系统中的文件进行完整性的数据库的初始化。 ``` - -## 特别注意 -一些检查项需要依赖多次修复,且操作系统需要多次重启。需要进行两次修复的项有: +### 一些检查项需要依赖多次修复,且操作系统需要多次重启 +#### 需要进行两次修复的项 +``` 8.1.1.2 8.1.1.3 8.1.12 +``` -需要修复3次的项: +#### 需要修复3次的项 +``` 4.5 +``` ## 玩(如何添加检查项) diff --git a/README.md b/README.md index 02ece24..4ef7d53 100644 --- a/README.md +++ b/README.md @@ -175,18 +175,6 @@ $ sudo -s # ip6tables-save > /etc/iptables/rules.v6 ``` -5) Use the passwd command to change the passwords of all users to apply the password complexity and robustness of the pam_cracklib module configuration. - -6) Items that must be applied after the first application(reboot after is better) -``` -8.1.32 Because this item is set, the audit rules will not be added. -``` - -7) Items that must be applied after all application is ok -``` -8.4.1 8.4.2 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. -``` - ### nft format rules: [nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf) to do the following(your network interfacename(Example eth0)): @@ -194,18 +182,27 @@ to do the following(your network interfacename(Example eth0)): $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf $ sudo nft -f ./etc.nftables.conf ``` - -5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module. +5) Use the passwd command to change the passwords of all users to apply the password complexity and robustness of the pam_cracklib module configuration. ## Special Note Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). -Items that need to be fix twice: +### Items that must be applied after the first application(reboot after is better) +``` +8.1.32 Because this item is set, the audit rules will not be added. +``` + +### Items that must be applied after all application is ok +``` +8.4.1 8.4.2 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. +``` + +### Items that need to be fix twice 8.1.1.2 8.1.1.3 8.1.12 -Items that need to be fix three times: +### Items that need to be fix three times: 4.5 ## Hacking From b3d8a08ac4168fad25f3bbb9782a8e1800c6330f Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 10 Sep 2019 05:03:05 +0800 Subject: [PATCH 10/34] Update format of README-CN.md and README.md --- README-CN.md | 10 ++-------- README.md | 8 +++----- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/README-CN.md b/README-CN.md index aaded34..fd36aa9 100644 --- a/README-CN.md +++ b/README-CN.md @@ -171,25 +171,19 @@ $ sudo nft -f ./etc.nftables.conf ## 特别注意 ### 必须在第一次修复应用后进行修复的项 -``` 8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。 -``` + ### 必须在所有项都修复应用后进行修复的项 -``` 8.4.1 8.4.2 这都是与aide检测文件完整性相关的项,最好是在所有项都修复好后再进行修复,以修复好的系统中的文件进行完整性的数据库的初始化。 -``` + ### 一些检查项需要依赖多次修复,且操作系统需要多次重启 #### 需要进行两次修复的项 -``` 8.1.1.2 8.1.1.3 8.1.12 -``` #### 需要修复3次的项 -``` 4.5 -``` ## 玩(如何添加检查项) diff --git a/README.md b/README.md index 4ef7d53..4c9277e 100644 --- a/README.md +++ b/README.md @@ -188,14 +188,12 @@ $ sudo nft -f ./etc.nftables.conf Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). ### Items that must be applied after the first application(reboot after is better) -``` 8.1.32 Because this item is set, the audit rules will not be added. -``` ### Items that must be applied after all application is ok -``` -8.4.1 8.4.2 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. -``` +8.4.1 +8.4.2 +These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. ### Items that need to be fix twice 8.1.1.2 From 6e7bef7a9d41e29bec6ae643ff49c70a30e6394b Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 10 Sep 2019 17:14:59 +0800 Subject: [PATCH 11/34] Fix some bug for audit rules set. --- .../8.1.19_record_sshkeysign_usage.sh | 13 ++- ...Events_that_privileged_passwd_cmd_usage.sh | 17 ++- ...s_that_privileged_priv_change_cmd_usage.sh | 23 ++-- ...vents_that_privileged_postfix_cmd_usage.sh | 11 +- .../8.1.24_record_crontab_cmd_usage.sh | 11 +- ...25_record_pam_timestamp_check_cmd_usage.sh | 10 +- .../8.1.26_record_pam_tally_cmd_usage.sh | 101 ++++++++++-------- ...27_record_Events_that_modify_conf_files.sh | 14 +-- bin/hardening/8.1.28_record_acl_cmd_usage.sh | 10 +- .../8.1.29_record_usermod_cmd_usage.sh | 11 +- .../8.1.30_record_unix_update_cmd_usage.sh | 7 +- bin/hardening/8.1.7_record_mac_edit.sh | 10 +- .../8.5_ensure_permissions_on_all_logfiles.sh | 4 +- 13 files changed, 142 insertions(+), 100 deletions(-) diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index f89d331..8f36e14 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -10,14 +10,17 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 - -AUDIT_PARAMS="-a always,exit -F path=$(find /usr/ -name "ssh-keysign") -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh --a always,exit -F path=$(which ssh-agent 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" - -set -e # One error, it's over +if [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" +elif [ $OS_RELEASE -eq 2 ]; then +AUDIT_PARAMS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" +fi FILE='/etc/audit/rules.d/audit.rules' diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index 242f564..b00b7df 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -10,15 +10,22 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS="-a always,exit -F path=$(which passwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=$(which unix_chkpwd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=$(which gpasswd 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd --a always,exit -F path=$(which chage 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +if [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +elif [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +-a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" +fi -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index 229fac8..6e5fd24 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -10,17 +10,26 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS="-a always,exit -F path=$(which su 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which sudo 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which newgrp 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which chsh 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which sudoedit 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change --a always,exit -F path=$(which chfn 2>/dev/null) -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +if [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +elif [ $OS_RELEASE -eq 2 ]; then +AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" +fi -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index 0f2791f..d27c540 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -10,13 +10,18 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which postdrop 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix --a always,exit -F path=$(which postqueue 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +if [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +if [ $OS_RELEASE -eq 2 ]; then +AUDIT_PARAMS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +-a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' +fi -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index 4abed4f..9649a13 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -10,14 +10,17 @@ # set -u # One variable unset, it's over - +set -e # One error, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which crontab 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' - -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' +if [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +elif [ $OS_RELEASE -eq 2 ]; then +AUDIT_PARAMS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +fi + # This function will be called if the script status is on enabled / audit mode audit () { # define custom IFS and save default one diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index 90de0a5..eeedcac 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -10,13 +10,15 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 - -AUDIT_PARAMS='-a always,exit -F path=$(which pam_timestamp_check 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' - -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' +if [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +elif [ $OS_RELEASE -eq 2 ]; then +AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +fi # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh index ccdb5ca..0654a5c 100755 --- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh +++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh @@ -5,66 +5,75 @@ # # -# 8.1.26 Recored pam_tally/pam_tally2 command usage (Scored) +# 8.1.26 Recored pam_tally/pam_tally2 command usage(Only for Debian) (Scored) # Author : Samson wen, Samson Author add this # set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which pam_tally 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=$(which pam_tally2 2>/dev/null) -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam +-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam' # This function will be called if the script status is on enabled / audit mode audit () { - # define custom IFS and save default one - d_IFS=$IFS - c_IFS=$'\n' - IFS=$c_IFS - for AUDIT_VALUE in $AUDIT_PARAMS; do - check_audit_path $AUDIT_VALUE - if [ $FNRET -eq 1 ];then - crit "path is not exsit! Please check file path is exist!" - continue - else - debug "$AUDIT_VALUE should be in file $FILE" - IFS=$d_IFS - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - IFS=$c_IFS - if [ $FNRET != 0 ]; then - crit "$AUDIT_VALUE is not in file $FILE" - else - ok "$AUDIT_VALUE is present in $FILE" - fi - fi - done - IFS=$d_IFS + # This feature is only for debian + if [ $OS_RELEASE -eq 2 ]; then + ok "CentOS/Redhat is not support, so pass" + elif [ $OS_RELEASE -eq 1 ]; then + # define custom IFS and save default one + d_IFS=$IFS + c_IFS=$'\n' + IFS=$c_IFS + for AUDIT_VALUE in $AUDIT_PARAMS; do + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + IFS=$d_IFS + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + IFS=$c_IFS + if [ $FNRET != 0 ]; then + crit "$AUDIT_VALUE is not in file $FILE" + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi + done + IFS=$d_IFS + fi } # This function will be called if the script status is on enabled mode apply () { - IFS=$'\n' - for AUDIT_VALUE in $AUDIT_PARAMS; do - check_audit_path $AUDIT_VALUE - if [ $FNRET -eq 1 ];then - crit "path is not exsit! Please check file path is exist!" - continue - else - debug "$AUDIT_VALUE should be in file $FILE" - does_pattern_exist_in_file $FILE "$AUDIT_VALUE" - if [ $FNRET != 0 ]; then - warn "$AUDIT_VALUE is not in file $FILE, adding it" - add_end_of_file $FILE $AUDIT_VALUE - check_auditd_is_immutable_mode - else - ok "$AUDIT_VALUE is present in $FILE" - fi - fi - done + # This feature is only for debian + if [ $OS_RELEASE -eq 2 ]; then + ok "CentOS/Redhat is not support, so pass" + elif [ $OS_RELEASE -eq 1 ]; then + IFS=$'\n' + for AUDIT_VALUE in $AUDIT_PARAMS; do + check_audit_path $AUDIT_VALUE + if [ $FNRET -eq 1 ];then + crit "path is not exsit! Please check file path is exist!" + continue + else + debug "$AUDIT_VALUE should be in file $FILE" + does_pattern_exist_in_file $FILE "$AUDIT_VALUE" + if [ $FNRET != 0 ]; then + warn "$AUDIT_VALUE is not in file $FILE, adding it" + add_end_of_file $FILE $AUDIT_VALUE + check_auditd_is_immutable_mode + else + ok "$AUDIT_VALUE is present in $FILE" + fi + fi + done + fi } # This function will check config parameters required diff --git a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh index 9c65662..0c4f984 100755 --- a/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh +++ b/bin/hardening/8.1.27_record_Events_that_modify_conf_files.sh @@ -10,16 +10,17 @@ # set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name auditd.conf) -F perm=wa -k config_file_change +AUDIT_PARAMS='-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change +-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change +-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change +-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change -a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name grub) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name fstab) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name hosts.deny) -F perm=wa -k config_file_change --a always,exit -F path=$(find /etc/ -name login.defs) -F perm=wa -k config_file_change -a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change -a always,exit -F path=/etc/profile -F perm=wa -k config_file_change -a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change @@ -27,7 +28,6 @@ AUDIT_PARAMS='-a always,exit -F path=$(find /etc/ -name audisp-remote.conf) -F p -a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change -a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change' -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.1.28_record_acl_cmd_usage.sh b/bin/hardening/8.1.28_record_acl_cmd_usage.sh index 41ce2b0..3d8405e 100755 --- a/bin/hardening/8.1.28_record_acl_cmd_usage.sh +++ b/bin/hardening/8.1.28_record_acl_cmd_usage.sh @@ -8,16 +8,16 @@ # 8.1.28 Recored Events that privileged-acl command usage (Scored) # Author : Samson wen, Samson # +# todo to ensure path in debian set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which setfacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which chacl 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS='-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index fd2e4ed..e2ffec2 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -10,13 +10,16 @@ # set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which usermod 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +if [ $OS_RELEASE -eq 1 ]; then +AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +elif [ $OS_RELEASE -eq 2 ]; then +AUDIT_PARAMS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +fi # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh index b152ba6..a8011ca 100755 --- a/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh +++ b/bin/hardening/8.1.30_record_unix_update_cmd_usage.sh @@ -10,13 +10,12 @@ # set -u # One variable unset, it's over +set -e # One error, it's over +FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -AUDIT_PARAMS='-a always,exit -F path=$(which unix_update 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' - -set -e # One error, it's over -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS='-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update' # This function will be called if the script status is on enabled / audit mode audit () { diff --git a/bin/hardening/8.1.7_record_mac_edit.sh b/bin/hardening/8.1.7_record_mac_edit.sh index ea261ce..18154d6 100755 --- a/bin/hardening/8.1.7_record_mac_edit.sh +++ b/bin/hardening/8.1.7_record_mac_edit.sh @@ -11,6 +11,7 @@ # todo test for centos set -u # One variable unset, it's over +set -e # One error, it's over HARDENING_LEVEL=4 @@ -19,17 +20,16 @@ SELINUX_PKG_REDHAT="selinux-policy" SE_AUDIT_PARAMS="-a always,exit -F dir=/etc/selinux/ -F perm=wa -k MAC-policy -a always,exit -F dir=/usr/share/selinux/ -F perm=wa -k MAC-policy --a always,exit -F path=$(which chcon 2>/dev/null) -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which semanage 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which setsebool 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng --a always,exit -F path=$(which setfiles 2>/dev/null) -F auid>=1000 -F auid!=4294967295 -k perm_chng" +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/semanage -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/setsebool -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/setfiles -F auid>=1000 -F auid!=4294967295 -k perm_chng" APPARMOR_PKG="apparmor" AA_AUDIT_PARAMS='-w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy' -set -e # One error, it's over FILE='/etc/audit/rules.d/audit.rules' # This function will be called if the script status is on enabled / audit mode diff --git a/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh b/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh index f1bf38c..985bbc9 100755 --- a/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh +++ b/bin/hardening/8.5_ensure_permissions_on_all_logfiles.sh @@ -41,7 +41,9 @@ apply () { else warn "Permissions of all log files are not correctly configured! Set it" chmod -R $PERMISS_SET $LOGDIR/* - rm $ERRPERFILELIST + if [ -r $ERRPERFILELIST ]; then + rm $ERRPERFILELIST + fi fi } From d75c1accd8e3dd673440aad93ce9c176b2267ff2 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 10 Sep 2019 18:15:18 +0800 Subject: [PATCH 12/34] Fix some bugs for auditd record --- bin/hardening/8.1.19_record_sshkeysign_usage.sh | 16 +++++++++------- ...rd_Events_that_privileged_passwd_cmd_usage.sh | 16 +++++++++------- ...ents_that_privileged_priv_change_cmd_usage.sh | 16 +++++++++------- ...d_Events_that_privileged_postfix_cmd_usage.sh | 16 +++++++++------- bin/hardening/8.1.24_record_crontab_cmd_usage.sh | 14 ++++++++------ ....1.25_record_pam_timestamp_check_cmd_usage.sh | 15 +++++++++------ bin/hardening/8.1.29_record_usermod_cmd_usage.sh | 14 ++++++++------ 7 files changed, 61 insertions(+), 46 deletions(-) diff --git a/bin/hardening/8.1.19_record_sshkeysign_usage.sh b/bin/hardening/8.1.19_record_sshkeysign_usage.sh index 8f36e14..a6eed36 100755 --- a/bin/hardening/8.1.19_record_sshkeysign_usage.sh +++ b/bin/hardening/8.1.19_record_sshkeysign_usage.sh @@ -13,16 +13,14 @@ set -u # One variable unset, it's over set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' -if [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -elif [ $OS_RELEASE -eq 2 ]; then -AUDIT_PARAMS="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh" -fi -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -74,7 +72,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh index b00b7df..f5a3c93 100755 --- a/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh +++ b/bin/hardening/8.1.21_record_Events_that_privileged_passwd_cmd_usage.sh @@ -13,20 +13,18 @@ set -u # One variable unset, it's over set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' -if [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -elif [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd +AUDIT_PARAMS_REDHAT="-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd" -fi -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -78,7 +76,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh index 6e5fd24..3605dc8 100755 --- a/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh +++ b/bin/hardening/8.1.22_record_Events_that_privileged_priv_change_cmd_usage.sh @@ -13,24 +13,22 @@ set -u # One variable unset, it's over set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' -if [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +AUDIT_PARAMS_DEBIAN="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -elif [ $OS_RELEASE -eq 2 ]; then -AUDIT_PARAMS="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +AUDIT_PARAMS_REDHAT="-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change" -fi -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -82,7 +80,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh index d27c540..7a062fd 100755 --- a/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh +++ b/bin/hardening/8.1.23_record_Events_that_privileged_postfix_cmd_usage.sh @@ -13,16 +13,14 @@ set -u # One variable unset, it's over set -e # One error, it's over HARDENING_LEVEL=4 +FILE='/etc/audit/rules.d/audit.rules' -if [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -if [ $OS_RELEASE -eq 2 ]; then -AUDIT_PARAMS='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix' -fi -FILE='/etc/audit/rules.d/audit.rules' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -74,7 +72,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh index 9649a13..8011aa3 100755 --- a/bin/hardening/8.1.24_record_crontab_cmd_usage.sh +++ b/bin/hardening/8.1.24_record_crontab_cmd_usage.sh @@ -15,11 +15,9 @@ HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -if [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' -elif [ $OS_RELEASE -eq 2 ]; then -AUDIT_PARAMS='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' -fi +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -71,7 +69,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh index eeedcac..0f664ba 100755 --- a/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh +++ b/bin/hardening/8.1.25_record_pam_timestamp_check_cmd_usage.sh @@ -14,11 +14,10 @@ set -e # One error, it's over HARDENING_LEVEL=4 FILE='/etc/audit/rules.d/audit.rules' -if [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' -elif [ $OS_RELEASE -eq 2 ]; then -AUDIT_PARAMS='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' -fi + +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -70,7 +69,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter diff --git a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh index e2ffec2..f470d58 100755 --- a/bin/hardening/8.1.29_record_usermod_cmd_usage.sh +++ b/bin/hardening/8.1.29_record_usermod_cmd_usage.sh @@ -15,11 +15,9 @@ FILE='/etc/audit/rules.d/audit.rules' HARDENING_LEVEL=4 -if [ $OS_RELEASE -eq 1 ]; then -AUDIT_PARAMS='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' -elif [ $OS_RELEASE -eq 2 ]; then -AUDIT_PARAMS='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' -fi +AUDIT_PARAMS_DEBIAN='-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS_REDHAT='-a always,exit -F path=/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod' +AUDIT_PARAMS="" # This function will be called if the script status is on enabled / audit mode audit () { @@ -71,7 +69,11 @@ apply () { # This function will check config parameters required check_config() { - : + if [ $OS_RELEASE -eq 1 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_DEBIAN + elif [ $OS_RELEASE -eq 2 ]; then + AUDIT_PARAMS=$AUDIT_PARAMS_REDHAT + fi } # Source Root Dir Parameter From 053fbf82675f3aed3670ad29d06cf7c469d784dc Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 10 Sep 2019 20:47:05 +0800 Subject: [PATCH 13/34] Update how_to_creating_and_making_a_QEMU_img.mkd --- .../how_to_creating_and_making_a_QEMU_img.mkd | 40 +++++++++++++++---- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd index 06cf65b..1121aa6 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd @@ -1,5 +1,9 @@ # How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9 +In the following context, deploy with the following name: +Network interface: eth0 +username: harbian-audit + ## Pre-work In the example below, the vul-manager visual tool will be used to remotely connect to the QEMU server for operation. @@ -63,14 +67,17 @@ root@harbian:/opt/harbian-audit-master# bash bin/hardening.sh --init root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --audit-all root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --set-hardening-level 5 root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg +root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg +root@harbian:/opt/harbian-audit-master# sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg root@harbian:/opt/harbian-audit-master# ./bin/hardening.sh --apply root@harbian:/opt/harbian-audit-master# sed -i "/^root/a\harbian-audit ALL=(ALL:ALL) ALL" /etc/sudoers root@harbian:/opt/harbian-audit-master# reboot ``` -After reboot: +After reboot: ``` -harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh +harbian-audit@harbian:/opt/harbian-audit-master$ sudo bash ./docs/configurations/etc.iptables.rules.v4.sh eth0 harbian-audit@harbian:/opt/harbian-audit-master$ sudo -s root@harbian:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 root@harbian:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 @@ -85,7 +92,7 @@ $ sudo sed -i "s/Debian GNU\/Linux 9/harbian-audit complianced for Debian GNU\/L ### Set grub passwd superusers: harbiansuper -passwd: harbian_AUDIT,09)( +passwd: harbian_AUDIT,09!) Related how to config grub2 password protection, please reference: [how_to_config_grub2_password_protection.mkd](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/manual-operation-docs/how_to_config_grub2_password_protection.mkd) @@ -103,17 +110,31 @@ If need adds a project on AMI, add the project on such as /opt, /usr/local/bin d ### Clean up +#### Uninstall +``` +$ sudo apt-get purge --autoremove unzip -y +``` + #### Clean harbian-audit temp file and conf ``` $ sudo rm /opt/master.zip $ sudo rm /opt/harbian-audit-master/tmp/backups/* -$ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg +$ cd /opt/harbian-audit-master/etc/conf.d +$ sudo rm -f !(8.1.32_freeze_auditd_conf.cfg|8.4.1_install_aide.cfg|8.4.2_aide_cron.cfg) ``` -#### AIDE RE-INIT +#### Final fix ``` -$ sudo aideinit -y -f -``` +$ cd /opt/harbian-audit-master +$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg +$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg +$ sudo bash bin/hardening.sh --apply --only 8.1.32 +$ sudo bash bin/hardening.sh --apply --only 8.4.1 +$ sudo bash bin/hardening.sh --apply --only 8.4.2 +$ sudo rm /opt/harbian-audit-master/tmp/backups/* +$ sudo rm /opt/harbian-audit-master/etc/conf.d/* +``` #### Clear the current log ``` @@ -145,6 +166,11 @@ $ history -cw $ sudo poweroff ``` +#### AIDE RE-INIT +``` +$ sudo aideinit -y -f +``` + ## sign QEMU image ssh to QEMU server, find QEMU image dir, sign the QEMU image: ``` From edc82b56fc8ed858bfbc45a0b056a320ba8ad4a9 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 11 Sep 2019 03:06:56 +0800 Subject: [PATCH 14/34] Update the use of iptables V4 scripts. --- .../AMI/how_to_creating_and_making_an_AMI_public.mkd | 4 +++- docs/configurations/etc.iptables.rules.v4.sh | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index 8d29d52..14de4c5 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -58,8 +58,10 @@ admin@ip:/opt/harbian-audit-master$ sudo sed -i "/^root/a\admin ALL=(ALL:ALL) admin@ip:/opt/harbian-audit-master$ sudo reboot ``` After reboot: + ``` -admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh +admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0" +admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME admin@ip:/opt/harbian-audit-master$ sudo -s admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 diff --git a/docs/configurations/etc.iptables.rules.v4.sh b/docs/configurations/etc.iptables.rules.v4.sh index 2d7e2b2..694b134 100644 --- a/docs/configurations/etc.iptables.rules.v4.sh +++ b/docs/configurations/etc.iptables.rules.v4.sh @@ -3,7 +3,8 @@ IPT="/sbin/iptables" PUB_IFS="ens33" if [ $# -lt 1 ]; then - echo "Must be set to greater than or equal to a public network interface. usage: $0 eth0, or $0 eth0 eth1" + echo "Must be set to greater than or equal to a public network interface. " + echo "usage: $0 eth0, or $0 eth0 eth1" exit 1 else PUB_IFS="$@" From 1a8ebff4563305231e34797698d8a9349b6a95fc Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 11 Sep 2019 16:01:55 +0800 Subject: [PATCH 15/34] Update QEMU related documentation according to the harbian-audit project on September 10. --- .../how_to_creating_and_making_a_QEMU_img.mkd | 10 ++--- ..._of_harbian_audit_complianced_Debian_9.mkd | 40 +++++------------- .../QEMU/picture/download_01.png | Bin 53049 -> 0 bytes .../QEMU/picture/download_02.png | Bin 27041 -> 0 bytes .../QEMU/picture/download_03.png | Bin 37858 -> 0 bytes .../debian9.9-harbian-0910.qcow2.sig | Bin 0 -> 566 bytes .../debian9.9-harbian-0910.qcow2.tar.gz.sig | Bin 0 -> 566 bytes .../harbian-audit_Debian_9.qcow2.sig | Bin 566 -> 0 bytes .../harbian-audit_Debian_9.qcow2.tar.gz.sig | Bin 566 -> 0 bytes 9 files changed, 16 insertions(+), 34 deletions(-) delete mode 100644 docs/complianced_image/QEMU/picture/download_01.png delete mode 100644 docs/complianced_image/QEMU/picture/download_02.png delete mode 100644 docs/complianced_image/QEMU/picture/download_03.png create mode 100644 docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig create mode 100644 docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig delete mode 100644 docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig delete mode 100644 docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd index 1121aa6..567f259 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd @@ -157,6 +157,11 @@ $ sudo -s # echo > /var/log/wtmp ``` +#### AIDE RE-INIT +``` +$ sudo aideinit -y -f +``` + #### Clear bash hostory ``` # echo > ~/.bash_history @@ -166,11 +171,6 @@ $ history -cw $ sudo poweroff ``` -#### AIDE RE-INIT -``` -$ sudo aideinit -y -f -``` - ## sign QEMU image ssh to QEMU server, find QEMU image dir, sign the QEMU image: ``` diff --git a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd index 6aff2d7..6605c2f 100644 --- a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd +++ b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd @@ -1,50 +1,32 @@ # How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9 ## Overview -Image name: harbian-audit_Debian_9.qcow2 -Disk size: 50G -File system: -``` -harbian-audit@harbian:~$ df -h -Filesystem Size Used Avail Use% Mounted on -udev 2.0G 0 2.0G 0% /dev -tmpfs 396M 5.5M 391M 2% /run -/dev/mapper/harbian--vg-root 15G 1.3G 12G 10% / -tmpfs 2.0G 8.0K 2.0G 1% /dev/shm -tmpfs 5.0M 0 5.0M 0% /run/lock -tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup -/dev/vda1 236M 37M 187M 17% /boot -tmpfs 2.0G 0 2.0G 0% /tmp -/dev/mapper/harbian--vg-home 27G 45M 25G 1% /home -tmpfs 396M 0 396M 0% /run/user/1000 -``` +Image name: debian9.9-harbian-0910.qcow2 +Disk size: 20G + grub password protection: username: harbiansuper -password: harbian_AUDIT,12@) +password: harbian_AUDIT,09!) Users info: user: root passwd: 1qaz@WSX3edc$RFV5tgb -user: harbian-audit +user: auditadmin passwd: 2wsx#EDC4rfv%TGB6yhn ## Get QEMU image ### Download address -[https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing](https://drive.google.com/file/d/1osqL0REFisSedOhL04dupC1aDM6jVpdm/view?usp=sharing) - -![1](./picture/download_01.png) -![2](./picture/download_02.png) -![3](./picture/download_03.png) +[debian9.9-harbian-0910.qcow2.tar.gz](https://drive.google.com/file/d/1HwaHF94AJx-95HeIVi4cUFA5aiQ_diz2/view?usp=sharing) ### Verify ``` -$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig -$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.tar.gz.sig -$ gpg --verify harbian-audit_Debian_9.qcow2.tar.gz.sig harbian-audit_Debian_9.qcow2.tar.gz -$ tar -xzvf harbian-audit_Debian_9.qcow2.tar.gz -$ gpg --verify harbian-audit_Debian_9.qcow2.sig harbian-audit_Debian_9.qcow2 +$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/debian9.9-harbian-0910.qcow2.sig +$ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig +$ gpg --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz +$ tar -xzvf debian9.9-harbian-0910.qcow2.tar.gz +$ gpg --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2 ``` ## Use the QEMU image to create virtual machine diff --git a/docs/complianced_image/QEMU/picture/download_01.png b/docs/complianced_image/QEMU/picture/download_01.png deleted file mode 100644 index 302bf3899170d8aa65655af102a107500d34824e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53049 zcmZ5|WmuHk_cjPfNrOlWNJ&aJD%}D~cX!uNgCNo%-5@P3-QC>`-CaWu!w~Oy&hPxM zbKd=BKQlZ#XYIAtz1F=6{iGy~g+YpefPjD{DN&@-=&+&LrWl)WjDG)wuV%~;|7qk+CiRcFjz%t1P6jR) zY!`;Xk!8m{O8PzIF@@L21GwV9kvb8{J62w88|s>E(UdI2mNwOT>p*bq2H)yTsaKk% zftM<-y|hY%-O6f*9mK{tA2x7+99 zctpBwb2sYXXF~pX|4R8D1b()D?inJLOQ8E1?>~hktk<{`K1Tf#^u(qjCOtK5;pp1A zJJ#l1ih`@V``cUQ|4h%BGDLy~`5B_1kWh;1=Wn2+UTwWE{h+oRo@IN!??wu)B>&&6 zzL}3_Dk@$(jVv^h?%2 zUA;>G@XNqs!L*94zZcx_iSb+i7By*PY(~b4g^si|>ZE1-_O>ZGcK@%b`i~&O2~tFs zKd`KYqVtf# zY9rU6tz+)J07T50Sq(p;OOpaAH=SCUYu1}jt<{4sY1xmeJ|REOk>$$gu-#Iqd9I}k z#n<6 zS1@bLfLdGBJ8c#y98kFCWdM_nIvzLfynaq_H|a|b?%i@<$-)GkBN&vn^`L!fKjHDa zR6!~XCVqvy!a8%j_SLE{KYk};2juieP-5P}rMIT02H{6WM&zvEJSu3iaBX!}Nn9N1 zyOCk7wyeB7QpbtAnt_2bKRG=+dvr^SFw4u~kjn|ei9h?~e0p@PKWnQdVOdsJB=!M_3HcAcQUQCWx@Ot&-418^`h5GR%CEGtXDjq z+7NE+&QxMNo*int*Sh@%uB2@f`2?b9q5G{1MBlNyRs}>`clif~gCCgN+`hc!0Y9c^ zwQ5Mi3d!bO7LZs51cAYbI?n7S=f@PKb{YK?2F*bz)3KI|_n3Zl<*EBca6?3V_gL%5b@T~0oTdJw&2e{pqd3iB_d+%*lf&%SH3zVGUefFft=%bt zifx`^>fjED-Ry&kGssVcxLF_SA!<2fI5`AM`BEPPsnc*C;>?0+u$~T%TRXXUZrRu_ zdC+pl z8!r;mv^WH;2ADn(3^7a%MH#eq%&Gr2aK(vU(T~6isna-{V&|QV$Ou0LL@b4yd}wea zL*;E7-fg{ZpmldP*Bks22YZ-ud*3RLMzJ>5F(cGI>|0H6|I_%J zrI1SCf^}!Ai-3n1Y5sZE>h`zEjxlAj6yWss{7gBuHny$VRzE8L>SlL`lDP^Arb9#K z#YgEZUZEryPL5|9X;Xm2n6rJd)r4zK;FY9@WACoT!hy~9r67)mX@0MAVROaJ%vO}( zKuT>${^cUTVw6&NaA*06xSnHSZdQL3wXPBxhxD1xJJhf@MQdP$*rLPl#(B}Y;vV|p0p7I{d@;eQ^LC~?*QznHc+Nap+wZ!Yw>5v@H?*dtU zK9Nt*(aJiKJVnUdRuun0Mr#P2i;$4#gSA)xF#$gCHK~>VI$wV z-@+9kIjrF*)WIpgHEyg<&9l;wz2O^5+v;*x5``0FAO753ww>$#BPtkQD z;;R+JlUF7BpmV*0&-WLSqSmPLgBd=sqiWfxg!3M%r@*J>lc2otMp#S*$EfIc=Mr}B zL+=)2Dtm;z9UqsSYeHmQ?)tRfdwL^^!)3SHOZy@Vklz(s-TKYwHR8&oMY`^gjO{Oe z19M1Np1JB%1tU96OXX&&-Mn)S3-V>m5rZk?k{WAWNo>r=JV#w5{9=C@Ie)k|zPP+R zI6ls6Y)mOA_;Y69IvW1)F&lSbVS(`F%h=dh&SL)ZzwO!pVExMb%i3zaCWy;=r~~Bs z1IrwOZ&e%z+IzNuq+s3l;OP9C*jKBORK2W&RJxb{re zbk73M-ntv)6QXFNuwAO%cSUVn7`kIZ&Ga&wQ|P!*T2CvsN%Vzbj!i8h@~@RMQsDfG zh$=I@*RoQfsS<`4NP&;nQR~G;`MG#uFN--Sytu=pD(U;GvDjW&e|~_Uq&)lBNIwOeg+g{^ys%{BS*8mMrECpIp)+i$%tlSNIJ2+@+{O)x0 zS3iv(M28#soLsx|$Nqk0r0r3*v4hjRSlyfMqh35@@sF{gKOEu8T(fc~seROS+08dsx1onNU=!-^OPb_~z=UByDm@S3%#(roy zMYrcg`LxF#cZ^WcFFo%aqVc!`@}U&y%ob!%GAp~*(6)z`^Cyx1 z#Kdguns+B9(U+Dt%FrZ_G-@}zwYyG{`1#!1ROP8-vXwn7TI(OFW`Rw(o_fewuRo1P z+36V!C^tQ{pKI{#7)LchxA&ep9HKIRZca<>uEjeE;!QU$0S&41IdI4nzX`*j+n0c4 z;bE!ia-7?|R-0(c_*>ukl8R$9$i+i@L!vO)Z}k?mH$Sy#)Bc`<$_|Y2s4bs#nH0^I zKX96RuE~mM!KngyC%U*gn;8`j-hu)Bu%H`TEs$!UnO<4iLz=sjI$WKRdtLBt09wq&&*wPQMt%hhSXpcjUdd|B@y_jdhe)cr!I9rb$dsQf~lxq%jJ2J_d8mEpus2a@iv*O0#EM$YK~hxfkU zExz5m_T>aDNMb*u4m=ALy9n2SOc025D-2$M&uU4cG~2O34xk^zN{;RC1NPK}Lv`Z} zQpxwEUj)`jwj8x3QG-DUQpm8<5+-vjo{gDGHy6}z zEv73MzK?gqag{apn+L#q3Woi>o4mCBJeH9yAN@bLVxY02wKW5-o)JD~PjlUni}{fU zcO$+xH>Za}p(bM`LO;_|QU+_RrX3q~Zy)p=O5q@m@$Fk0A))5+HriP(l$!tPae)$u zVWljnlCe4?wOD;baz|nF)iv^&bQ3VfYF*?Gv3*UmGh6KuQ8wtK5zY6n`5viSeCPW^ zWU`kqG|7Nl-_|-soe_ntH(z+@tBCdb^U55YV$}~9Ke7z$*BTrXXZKlNWHtSmIzzX% z#u^zT*{)0z3}`(hY*)b_E?ncUm|yb+jxJt%G+ZJV(jX}9uJNbs55Bb?UC;%bys2ve zRB4F7Ktf^d&^Ht!y=ar#8i4}YDUPtjaSpG@5pEjf=3vj1GR+r(pQL%ND}C-0YygjF zujtX5o8|y%OXt#DV}XxH#m#OP*DPbJ;|1zesB2I<)HTH4vF1UBugIBNrR*S6%@soq zjC867l4W#h%oRsV8re6bO3x8u8J|>168pA3lbG8wk!S{pK08@CImo+jBKdYy!f#*2 z;P_dV6cFwbu{lhcgLejR(tTm46(O=Z_n*K?(_$UMawHAgG;vUlaG>@R+(H z`twX(T|X(Tor|M*FO`&DO}S%{Fw$4Fo?-IoVBFmsgtp}v@Q`?*?AqRQD0;T2e3hF1 zt#+K9M9O`IO#C|EVf}&8m}%osm4HXOn|#gV892gNHyC>w{f7tLWo$RHa#X=`H>~SA zf6%ANUh3N~qn@Y9AsPMt;C%-VMdOnnX>-hxIVgm%qoN|74=SScf*b=oQv&p)Ha71D zvKfh#8mP%5@OfU)XrnG0-1UC$6XjrOxeskO zdbPc?6DjWp4?uKtz+(Z)3WaN$sS5NtlZ<}tRN-b<)nk^(e}U|DjS;KCZ%B9}?|Y~s zea~&LUc_-PqXH~WUPc9fZ5h^bA2w4^6zmOVZ|&W{oj4kXW^!LLnAFs*hY>WsTf%yl z&8Yqw*Li{`*CGBBBR<~*SMhxYb{91gCN8?9@lx{>s*c zZ1DRMUH2BGDbllU(&6%W%&t+TwFzuS*A~Xb%dk+;hK$DtAe|As!R6(UF;lX_Uvh^E zxV6OWM#O!SwYb|>psy|L4wWiSOGV>Gm`_njob&i**O0K{@RVrBkZYJV8V2@@%=x4P zx{Q{#Y^gZMtG5D;)qs7IASE9SQ->&U^n$uq7F_IaianQ)AVMDFJ(D)b53N<7*|sLde>N zb~Gv1H4771Ncs4%r{~LYP#i83_Ucwz*Z$gUxvi$)$IFt6<^}O@pTEOS#vLoRd~Z%b zYf?EU6GD-1gkpYwMG5@W6M@d*xQ-Say6EqSti}>%=L$UMUEQnw6Gw^Aw6S3h#-<>3 z&f47EbizbnprgBvXo`fx=z0&u(S(?oud|ESYH42}Yc1 zeEhn@GK7YI6)eMfeayQKWu*`JmeY5@Ugm8V?xl;I6Qrqtd&AxTOr4&5ke4H1E3UoB zW+q<1K0`s1!nZ$)gco&kP8@x2y7evo3&=LXP0jl0m$h;gYdwRXsArSA=q7oZU(rNC z2P%orAEawDDFv1s?9wet`}hpMIonF!&WMWI9p3@n7r4{u14C#r5podwtWucW- zzDh$b9v%koXDkG3z;5o3J<`n#!IBW4V0Jn!YWyC(2gLCV6CKN z%|U{o*&wTpDk$3!k9diBfuPjrX~Q*D5206AWLk=!w39mw4xhHJ^6BDID({+bG^SkL zMB_Gn#drchPTw2c3EC{M+@nuLV3OQnMpw*|kfUA3ahpFvK_V8~$J)=_rlqYtlp`6A zuz!5KJ*#1WvR;s8Ps7JY>>m|{otl=`pPpp&s;0J9MMp;-9@K(I58=)vT#NNbQRG%v z$2BzxD$o-I1qJy^p)nL&Apib50O&jx215b1&#o90EZJ7F&*yrkl3Ml#z|Q)~v2TRh z)?fzR`!E#8=q3#JEXK{D``7)V3$mbT!waU-x*kQ7QYcPoTu=bJSnt!FRK-LB_)Qj2 zJ4I8JUTCm#!zz36Va5xSv9i|bEDotv%Al|9ew;CTq6$f)r~5Hltnj{$ld}u!_+dJ9 z6@{Ya*j&f@QjRB!#k7u3P3IYl@ypoxpk3d5%bb6=c2mJ z*K9C(%ybxA7f%ee?sO-1i9NrAvLN>qw?Fb=B#Sp~fk_A2vz6=Ik2uuMnRIMP>n$p} zI?FCVtg_8*^a^i8z=f$Gws@|ayb=+mdVnK{+JqiT{_{WvRPD=@DqSuRfQOP}AJy_C z2&T9R0K7H0+dU!lATMN_CnD!vh?R9iMxDWVE|z7xoK;mp}-vj(1M#GnRdP z1=OZTk+m213Fi1-jHHBKr!Azc``sWPQ5Gr^G|^ArMVnA9xMiI^G=b`V#|$UzDBT=i zsQ`cCvm3r`O~rTlW@*a3qi)c5BH!J4Wi#~qiw3^4?+|!Rb|cYdC^_D`4=mU_xJb{E zpTx<v(6^OO)KP3$Z^>1}|2NPox@Mw(ra$JgDel1-i-Ox zHa%61KhjR$nmjqYJ*Uzi5AUyw&9tUFcG|#NO7?}&66W718Rozo`2Dck&w;ny=mZ6; z)6N!pgW}9`901{0tJZaP3;pQpp03ZU9oYNqnT-b%tjJd;R9z=btPw zM}FKiDx4J!5j7c02euc_)Y+Q6-WJH1#{UsO@G#o$frpbafTw+RtJlR9(*?M6nu-pS0c;mvZd%bFN8?RW$tg?}2vD{fuht5dzr5nboVLHk$1E`GDadl=JeX>} zWnW7UViI*2`&ex=mbvY;c?!lJ%N`zR*miWl2VRhh( zj@fA$9>h0XW*Z{H&{m<8nTm9zVancgAQ#RmclgM>$L8)fQ@oPgVJZzzXImsiD3=B4 zj{NEFInXnJjBCa9d(+}l$n86Gv7R*_7_+V@E2ei(cu98oQ6S^*c<^w4odrx84x2t$?3UWC zVQ$zG0`}^mP(Pd0)XL>8&`l?h?;eUjV0xtz$jB70a44Eo)z~l~RnyEm@?6|kmruYp zd280;*QJ&4on;8`gOqX_{kxr^ip#U9Wqm6NbjTeYzaO7{G-`BzVE?pK2lttN>^}a* zUCPBQ`0@eO-c(dJspNPpVLPN~BPcnIDbv;A4F}JejD}sQsq#jC^h$7;v2JaZ zH#%UV{WZ=|o`IxF*O*&TA*4@M;rMe~~V)hxEymH1+ zgk;;i-IqU-HhQcBEGHC~iqtjaIYYto1i^&y|`C>jExY0i3&vw4fQL>6Cc#v>E>G{v-Rs+S<7HkZgJ( zEw!)#Hz_B+xv6ywkLx4vpLz8Zt^vxh0Bvk;mSb!1Li~ zy&sLq!Bo0Ed4mt*py?KdDEf&#@yZ|ZnTqb_Z zS=}k-U=8+MLAP!k5@oz#*O6#8%&o-^`$8_Px!^RiNxSrBW1aNJJxd474A{={@ftZO*|7p4fLq@-xi`vv#HYtUX8l0xdhC^8U>AzwPt}%cJNhY=pSGijmggIWTyp&Cb-EGlr}4VAmd-*7 z!xUfkXx~PJ%b-`6P#Vy~$J{o;Kb=FnVC#W6N@7S2-ZFpZzXuv*Gl#o@-gHP?Kj0CU zgZ&qre#*xJsEV2ok>$X<NMi5>^Mf*Ex{(_0L>*&Ui7i-y6LY&zBjQI1@Whh-r&M;fP>7LPH zsz`&7kD+X~;aI-zQ-V%o&)mmwha616cOSU*%2qK5`-2$KDlHJ$^_pCBhX2QGFfs0m z;R`$v;0>u!^R1!gJygaw=}X}Xy^k=BH6G{a4Z*!~pPKUtb2s>g>GA%Wxbc*j^g91f zR|CW=-?7M={z>T%K*wG?9x|dTE4m7dX{h+HUVpAva225M`d5>Xo&x{5OW=P=2xGu4 z!DsxWkyA4>e;5m32my9*KNkRx1hHfmuA+MmTw}Acq8Ds4_h~}^jQhVbK*DQ}xL#Ms zdw6)r$ini5ogJreI&`*}q(G8hj-R}5?-CCUdA=PerdFr~k8|7Pgwy?rfB#b~CK@Cx zb#!!`8g)m~_#A{|31Xc7&N0)nvPLd1>lPOmbG!&VK0Xd*OZ{ieKXp2_NhU#ESs7N+ zu%xW)AU~nB#8~{nbm8>m!hV? zPWV4l`Kz|*NPgC#sHh0fDMe{$No=#g*OXUOWR(;C9}3D}ujyAL!To~sx8Wh_DA>VB zaDR2O7x#}m{;$Mv87d$ewy#wn{2l=G9k{;zJAnVc@tnVssv+=`W1Cbj^p&vCIKP~? zIf5tGO9aXV8ACqrIg#N@EiD!%9sV&o`8OxLb7I$w>}Dc^n93|YqGNRYmy7ez zG>e7bKjVAziy~@8Ymc%vpeHL|b;y{sB;#3ihhlpr^XSuu8s|^#$XD8e^uE|3m!%Mn zy|vi5KgiP>^X%Jep}Jp3h3CN^p;=FW|Na;kL9R-X2&eAdBOS@o&y*tw<%rq0qJkv% zjL!Hn`L6|vyApcOzDrTa$x?lEt2ac+_1(X>z3ul{BVNafS2XgNGFG+c z-9Wd^>38kLft+6)tDe)ZPrpmSpMP@HI;?ZNdSh8{0#@o)d9O0pVX_kS45QkM%Bs+H z(3fxl7ECSu1N3tzlA+QySQk{t_Am`L$aSW3B})4>&<>0HIXNMrITrqa2Rp&A^H0+t>wJAv zx~@(ZY`W(PTgvGFiDV1o(ZiIu3b0cYpS7F5&Up9u@PE_H12-#Zx~Qd`clJ_JxL>oI`ipQ_Z4g zw!mF7Dwnn9=2$3J#3(iEEcD3rped2-MW<2b|yzLr`L}#Bg7HzV0BquZX z0J|rPALO}w^gp}>wTPGkq?1k^mu>H%T%~(2{i?iJZ9t;q1YD5c5Br8pc~!Ted(e&8 z&&QZqhSyDQr4&YI^*S5(&S3!wpD7X1s$e^XfX3_Z(>o2nV)uY|WKlQdPB)7W2@tYi zwwBRQA~8zk3bze}PDA9ZapFCHj?w<;$&c96Y)#22T=D~zfb-i(eHfhagSR)|mdI`} z7J!2J>({S!_y(PzKeB25_TL#!!trkTw^Gx+9V6~4 z(kMr~Ik$M)yI$ORoR(M0KGxZDzmJ)}$V3a1ZDl`Y!xs@?eRZPr>MCY}{DnHD? zJQp`F(1RRJ3J1)C`?RfBK9B;>kxTSXS34D%c^9=qc@7sGAe}o-E1-6{{gtx&Q;j8# zLPhhN1ecV#Gp0;W9ElrLG(!fiB2d10l~L{c2AD&)Kb|nw{ESVpVIsji3j3y{{xI|tUkR?t~KwluoPzKm^kEJE=R&*Qd__B9nL-Z+enE>aeepZ$j{BK z%xqT5h)ZZwC+td&)xf!^^Is5-#kb5>c_BJs{-#6EDt@LY| zE#F3R+8;kIdH;Zj*2bk!?m^q%ZSl;sL2AYkh=_ zHvcVfXvEeCo{R}g3#;mVt?gpJ0aNJOSVC7{@OZ*@L19jQ}TJdI3k=9x#r$+_5uP*EibM zn|CQPrr7(nHlV(Yn?|@k$;*2qf~xs%d&M?kfq+BDlkl08->VeMzix%S+PqNce2W=W z>E(^|p~Kge)u!H?QKyCfWit6*%X2Qeez4+YO3tb;sCg zy+(DjcUG+pNxA1jQ4z9Dv@>_7r8URA9NcA+jy^Sq-6h?g$0?uJdB2Mm@sbB!4d0+F z`^obrlmN$;66}!CH|h+#4sp%}M#j=EA)+eBUKI8l{Oa1ur3(M%P` znh+n)-=2*IIE(#QRR%t^WR#e(?Y2gr1Qe$@I#X($M~Pudd7ohKp^Dui;yywDrWF5g z#?Iz;%MIt4{LdP6tY6Y%ibKqlM`64kXTu5q0;0?U4)d0nl3l#iPI#KcAOHg>&0Y+ zhiP8jXi=%DI!H!y`X5R+=Oq0bg!_u&C3+ei5|5w}s&kID%MXZ2x@wNkr}<3eosH}C z_qV?O$Hd!`xgqcqVi?t0BUBCyXvxS8r%&K(mZ`%@YrJW8w;BI=x#is$B=VDtH z&YA14h9ir_?Y%vhi|xTsw(tK|cM;VpDE=kI#f)rheWsj|9sqcU94QKfL_|*ax96d3 ze*x8h8bsvcq5gUKPk5b+>rx>e4!2@QMie+XISG;fqNx6F3XT4n!AsPH7#o*RG~{RL z!hqP#O=A?GBpa@lmKNO4zd2ozH!`Az<0Uvu95qkd&-o9UWYk2wIbPtp#a3rlDkLbJ z9&7!D?_)^Vd%Z|IxS-+s}+L_MZ);#Kgyc zqa6$#weL2rH0DivmqrBsi}d@y&SI+BNh9$ir9vgTz6DUlMxH^SB9J!P@jKWgze*G|J&$ZV`^rhw3-@j-EwRneX!Q()5m;x+YWeJ zb$9H7Y9|#^#{XPiaL#_0V(j#@I;(cpoR*83?8O0=!a zb(MP7F*-Ub4Bd`@uDa%JRL|X-g`g^EF7{n{{w-(1LD!Y)omcRI7WVJGiL0 zn1&pi%Vk%=d^EN9VrLjmu|`o2V`tuDQH1@+Wr_WH`r1ZSbt)v9Cq=>3 zd~agL(OGw>%BcH!CSaH3WA>-zlNgzA(PEFuVPP0;*JTcsKF|xNK@Xagexc6Ob#Red zA^ZSrW%zW#lLmh6S!Fu)nvsBAbp3*DUS2_DBl!`i zV(*|Z>y+SrbYNipyq{`M?CDYrx(aCn5#&Wl<=$@+x35R?t-f+;>joU;Cu!E%lCx11-3(_jXd{Q;)QR@HqJ?iY*X})>oO?iWkSjR1cX_#ZWOKXJ4h(C5fE9Y4 zT=U%eJZ|7b4EJWj@i-N;Z?5nox#~6B)2&Cl`8aNKL-Eb09YGs9!R}P(8Sv3Ve|}M5 z5``omfdOK_S;n_!KHBWfPx2gSLt7@&E^zK_dP%jQDiS63(Mn_hR@pKpW^_+UoY}F! z?6daxN=XAMC~U&GhWkKp)3EOdAZf4?9*dJ$;#J@m9uc*;Ajd>K^W3cMY-Bz@pV~mb zV!9j{D^W@IKe~?q$^LVYwpqAd1V*OuRvS(4zRQnG%#2zPzWcO$zSR$1826jA$mrf! zPqE0{nA35fqooa8vTu$=rSkbbF4}&-!!F>wJ@D&Nv1iGl9jl|s?dZ=o^P;$_sSyAl zK)@A(d*8c*!okr|ii&M%76E}2n~K&%xRBf+e;w~}onT7}x5xxM_jdromX-l~8NPLU zJ3E!uvu~|!Y!=|Tf`;vsZC7Jn9VxeCopuB1;F3VFFQhWFeeM21@U(f)CRb)ud8^a+ zSoR5nFG*kvjBlM^$rTx3yEJjsm-2M!;c4W}>2be+MTk{dF1@G3+p^Tv)eiJ`mTn=$ zIqxC>j@>k?UoI9OSd=bXC^Piew+;t4MqiZK^gm*zR%d%WDHgBx>FAKAc&(VlYfsD6 z@m6n@@sMZv@&W7kiP0RZ3c{MMBso~^gR#^4{at#N1}0512vx@NvZK&vs?AoY77kJe zeSz+FS-#^D9MW^G9bUtu!p=)qU-{fXMyuX7T&RmQ{z0YTVbW?V{o)&(@pKX z>^N(I&p8iEdaAIax5C{rQK@z+R}Zgz`{S$hy?yo7MNj|d4lESj*h#E9ov}rPIt1AYR(+zXWDPo(G z)fyFB&=K$X{UVZQHQUx#)CwB0y0)!-^*IND_Zgso?q}0&R~*A~W$(d9-13<4tf1aZFMY$YLd3z~%1V?$z^(mJ1AJk?WaX7m7V6^=o5? zvn5(}whJV(K;6HBoPX3O{Gv}fLFbyi1ufcr^V&nyC&r#ykiO9C+ocl=G1x)_3J{Sz zDrP)s)eclXe)|Y{icLReL1=3;7I+$0esYUPT;Hg*1qMA?wuZOsh}sRfZ83LD4iUT= zZzusJou1D{_K;J0yYqPL>7#Y7U8<}-9`VmAytcvC7;pZ?9D<_TyeY~iKSo+FEaei> zZiEB$tbgX<%$W-d?elc0+sZP1}#%%CjJupl+>rvBQTjxLE7bFaqJT)7g>6kUjg=ww2`H}s{ zXV)F-xhRlVD@{-lJeHlLmrusUo`k`zkky9m*->K(U&79#%WGsHVpVnZ*7rbZg>;6T0V=6)nwiFP#|;y!bryg&H-qf)_+B7wMcZI0HBd zezt9jtil{|zI;HP9(LFnYaSY;s1nXN23)cV5--awju~8@sb|rMDi$4ZN5J^XDE!7 zchGhDQ@EScFRTtk_%_dqx{nt%5EHJa{*c+x%68X zGtR%LQv^H=B)${LWcALvc$~}aI0^1%VE1XUVymjgRu;TbYrEo%B3~Lg|IV?KUwML! zdT?;?pwH1IZj1S1Kf1vUvwkCN+wpvvDNhs8Mlh}*A2MiiCQ4QeY$2cb3weKjz3lOD zrO7cR*H< Wr-clbZqTv%c>|KT7T;+@kD-jCKgWocHq*EY0vj17sq;?p zHN(qt06#GXWFI-+SBoGQuox=omyTt6iLR^+&M>pntdah72UF8bn{WPFbGch?a23>3 zBwU}6CQ6qx=$=y6}Z@pquFCdG4 zgqTu21a^WRR@JVS$&SgNY^B%ykhR60;&T&ISXkV88a;Z2z_jVh&EaZVJMqdVL&IwI zS;}Owji#Mf3cQ#j<{v1FOm#!R9638cNO^Ld;eIzw|w{D2X|<5orc>hE05BSQn)PoR@$s*i!=8S zA^Lq?#w2>nk6Dk6M=2xGPjDVDOKW|kZt|RB2_P3ALymq6_O#G^`TN)K!_!uU(ev+; zpLjoT;PL4Ss5j(US%-TaTV@Q^^eQb>?p)baUdP{wq%6qVO*$(pR!7NerzEnnX<0Ys zZbfTXndd$X?^4 z7E6fxy8T$wx0zb0PSq~aZ|+|3TJ6alkuyP{O7n%y4f7JSjG~WS7}T#Z5zPN|Z+;B2 zVCG|1kDPfkuO=6+rjR-+%Yu46dr_-h&njh=P^OleSo)bqHO_b~`V8|bfr(YiVn_r; zpBBNH# z)Z5IX)a>5>>$grdQ9Ibex7xYZPtH}%@ONPqj$a{N$<0yv8!cr<`pE)%ilsyt-Pf=z zjS_r_t%gF_HZl2|@#9zUCS^AoXOco{j;L;E11k3$+p$8z-Ls;v_1Y=qnkT$eBQ{04 zi8geO7ZVA>6wg0T^G3#}#pJ{lPJMRP+E*R_V#r*3C95$qi5Xs3Qnk9gx?i?(dvt1&L}d4t2Ipez#B4xySwwnQqKVF*#7>kxsn3?I zBEkRV1iU1@5qU^o&EVCGqi-)Gsou3-C}h4KuA{JCs0zx-DOZ`{(I^32a@Z~0g(tGX zK66=&&*m|K_g5eV%pwoE3FSsD19U3N8G>I<+lZLeEpN{@yf#A_t_EnM`JH|9Gemvw za?16H;6%KspC1Bi95=eOt)5~n5Skkszre_I&xaVJv(!Y^ z(24Haptyt5a^9#c$jWgHk8YQ5dd&e`Xro8B^2t?+YsGVo!;KI2()-6Wq3?QWsw=r> z>AgjfT_S60`~5esD5#tXs+W9|yhtl}&WZqfr zi~$i47$r$o5RhyFB?^wK(e`QfOVx^o0 zK@OPC+7voD+rkzDCuW<<-!`mE#cW?(*K{)LX>*G9`JntD=?23!B@YXqU{7?azgx!5 z6FiZu!(=V~H)Fb@KK7l)I=*w+kwD=Tr?T1t=zP#COdoQ_T|?9ce#;uTlJU@tijY>GintTLz9yGoSm8&)l{ zlIdO?`KcV9hi~ulwCBkkh{(ipi@$#_QCcx&Uuy9v=R*lYV2tzZslEjV_Z-uLZmaEk zGLdg*_5A%%YF_EVstzS}QDN1Jhp%%cnkj{Wra z_^i@Mp01{L*hb+QG%(tOhp@N{`4(EEZxmbuaAK!<$_GP7C^>1Lq{ z6*omcJ9{#nFy2O~y113yYsst4GYC>xkDL zSJ7S{*D*hrJ)XSmA*4L~0XG?QtdrL2RkxT{XOfRbo1T?|QD@-nDDBM1InmhQqus6T ziEDg$L6`DcjH2X|l{v#rH$ya>8yW=&OJ&j%;mtN&QXdB5r<+jL5wxy1zH({|=qDZ- z4xT5$#4WV{NI!2ocuv$VBG*Fsl3eIlkF)Q6if&(qDQvANQ z_>|^K*GCq%d&ZIlCa2FS#4Q+C#|B(~MSE#9Pi!v4EvrKZn<^E#HW#Z(A0lNSP@t31 zeZ{b`B_Kz`>MSw{V?&n}NzXv;lOg~pU#b5$+PGKU301-rzrg3)v@8nL_*X9or| z_wLh@=B=q&;PVyRumfhxcq{oe-_td$YzZg!zTLomk0Ul~c5!LU9REtUm{iw`u_`i{ zi}*6s)!WBt@zFO!LHK2Lcl`#jVz#q)OH}ToC(OpwF81nnyXsN0(e>RW^9F{!=BsJr z%|i_J(*~lWZ`u0O>;3l%L^dckR{79jbXEmRqby_bKNz(P@(dd;EISI_{QWM2hP_Lp zB-@U4Xur3;BY$8?_L=q3udD6d>Qwd563l7X&d)Pg`i$is0Y4J+58^^k<&g8_pt-g0y=ubM>+tO?2wkVV$=Kva{aM6SPM?9jyTxWUj~Y*gnNL1Xf0(Un zq@^3PYM}ali!3ivvenQrWBP2};DZM)l9b(x!I!cMC^<>FkYR8 zs^z#C3JQfuiqq2>;!CK@BAdlE6+E)EdcD6Bys4GtY@Mwm3{_(|*;IP<6b6!17>$g3 z*oyRgs+BBps{3L~=F%C>MgcOYK66x?0sI$YrJjghx%HER}`g z1{0;+deZ=d(<-q~s@8k_jOY)G6>TqjriA&XS1VEn_9+=fiiZ5)6Of8wt@+&E_oj($ z*JQlT^O-uPCO0uk-ZZV~N}yb-W}!*eJDx1kHioi?uX?U_D^2j~~o~;-qGddA! z9v9`x(!W5Oc&_~9EX~$g`NnyCzO}JrwZ5uGtdmP!ZCHx0G-JK8Su$tt$5kdCuFa?2 zDwtxcyaLavR{k-n>$VN|7DS%Qw~2Qc<{2^{R^F>l(d4kyjxO7X9Q+Xb1m%nBGRi0> zN&gy=Nkb@7kG14OD~C^zP3!y!w`SK#=`deiWh-aMr^7rK{Uv3t?#rbKYJt>;OWmd# zF439^3S#=7t_vKG62T|dWJT69(gOU(eymhAov~FF_cLVKc=n3(>O?HZjUxZ_J11IV z{67e9G?ej%p%wRTM*bk7Z%j9+zM6NVSSOEIV&(_4%cA@J&Q3<1S~-m%r`r;`Y-p6; zGp^$?@0Fga=KfF`?7W?+a6I5YCWWY=%A99zrB*CW2m7nVK;eUu60*a%P>^Vg0f$uh zPUx^V)s)ebn4OccJ6R_30)d*xJWR}=T8CkWg;Z4l`4@bxdfi&P^kc;Br{CUbMjo(q zRi1e~bN|A2$yAIj-Aj%w>Bq*V0y``cUMJ4Be;{Sax1UqZ(kzhlI!WT-GFaihmv1@5 zUs6({v-%jgo$d5ltZ}kKv2Y_;uaMT~(TAad>UD$A~`Z5kKLbCTD9%7(t6K@AHYRAO>@JyZlHV zvS81U#7~o_tpmS$3nqH^s}6n`&-zq&?KEGTgwUSYjq!>pQgYo)Dhqk-oIAlb_nB7J zlvC-JBsbMM9Zb63@3;|yi!D`tlwWD7S$gWU*U;gl?O{=xq4t~m^lIlwOO}WavY8~Bt z9G_U2oc8*7@~J&q$J?~^bOH6A3by@~-B?{@*B91$iWFK(kBsH0LH#!VpvkQ4$o=T~ z4dq6Md;P_>I1k}KR-D5dE)}WF)zOP|G*oJ)Zxbs&YvtE5@CL^wa4;Wpm)~QXSvBiP z?<`mSE*^Xkqjx4{=_~`c)sXb=EmcN2^5AEu+U#YeG&6oo=_;=M&PyfvLB%asLq=dn zQdf+7s}J3qP%oKxB30_S`<~|?j?})wm5*XOdpj&QZ{DS*UX;9}TD-57mul3Dqf-f$*q3K)HeBY+Z#(Hr$Hc-S)z;P)A?#jS<4aB(*_;gNs7X|c@6^Jim_h4<53dtzhzA~EA^BFx#?Q6=I1ISzT8 z$L^0?@id~yQ;IK1)jLdLR8VwGqLEV^YSP<}&z{13J^awmp2dI5d$a3P-9=3S+u$Fp zC<6t_!Bd9H6mlDUR5+i}F3EuS%hmfAvO1=)l@S4%V`-{WJlGK7cR#m@R!@-XUa4yF;x`UXG_NMCMk>0~c3#WA852l8l@b^Mp@xr~6!c2;IhS%Y zbDuM}^ZnVR^hB0ho)Ou{?|_q#*aSmDc^nF*unO&hj4Ii!)i?9jq7qqtbdTp?a{A? zLZ=K-fqmkhLL!m<>7DLvA9!_>-X$}L(`-leXL8^KQUl*avznh`M_EcAI3-nZ4ay@(rZFtu4c{tztIFuPvP7U}7anTVSQ&@VIdyf%(ubPA}hTTEY=Kaw=_#^l2p;!8k1KzI5>n>zFnLh!fw&) zaq#l0>7H!}uh)3_iQx;s^{R5oo@q>m=Fo5SOByt0O*pl*osa%A^^p_;eGC!|Zwl8s z3b$&XY51w^m}Z(SmOSWjdDNGqwK4jYs^R%Yh?$4qrB00p-i5(IaY)=Tuuqb=aIG`I z{S;?Wv5FdBjHwUAFD{{78HF&@wJ~j#H}aZ>ugwbBWb=#0$`^zs+>SF&rq;7pJ-{z0 zWPY-K@wRN!??;Va$3YK{U82F3Sb-qnbDK#}m$KUrA!q-@Pp-jN@)Wn?7g&eyhE9tR^4XxQO$3H?LH2h+ID0$2#?HD zRFv)}$M9E73N(j53F@0q%QhQe*;d}A|E6-KDjZH2jcVqsXV@uJBpe2;1_rqr;Z)r( z()zSLV9<&gACTnTv|x}h)HiVtc9RWmQtZ3HleRteTCNsnW`O@)biG8QR?R)-jV+G^ zPkoBL)!9XDkIfFD%oH@qL2S3hJJs>!x-|={=k0}g8Zj*zjo703*aG)vc6XKa1>%IF z2!}F_g8|YCJpr0L+#ECRLru!3w3)M|W}h_h`^CD%TT!?dTC{KMDdMm$%2p1xG8+~W z!9!jt{dONa54rJXExt0GltQH4Z1-j4qS?CND!h!3`Jl@uH^<7OF`l&vOY*DjjBsxz z{TlC`mX(=1k7)N)_rsr^F4r9L!hI(po|-o1O>on+Qw#lmDVlYdL!9^7p@M`M@6PrK zrpzAj%b8O5HC85{i@vs0{CvGLcb&iO&B;_}d}Nnlv!f>G)YR8IZnSodaj3lF#$U~o zLUghDRlSAg8Z)Q&Qdg%^U6`G$ZoWxM!+6zr>rj zhhNs|9CxGrsP#*IE~8jX&s*g|x&Lg%yKD{3&0X&UQ|x|>GnEt`|e-4{i)_sk{u;-!~(wGRwcoB0*gb9SBSrt$;Z z8Taa^68rb^)C|*GQ?*DHs*Ujx!E8SDO1kzubQ437DkU0yxxLa8eiA$Sss$^E$ui__ zXl&HZ!@Dq>5>UH^xvtsFEVOcBa&jf1zY5EUuwEkIGr=QeU<3MhBA){DuKM(vi>S#_ilAWLycYy)b;s-IZj!t#8tqD!4fuU9fJ%weJtg)Qr%@mUt zrtU^o8N>N0k*44Y$nbN>fEm z%?RrK+Jn;4H9bjllGCP{jE5VrIffJR($cz2*S36pDc)yU;VVq>73Cr9I_Wf?`wD%1 z^v0yv;^I_TGKyPIUq|p->C*OOHoZGf`_u0+BQ)&!Fs1|LR0}qZXOu?e^RHS$OB8V$ z`ZV3{Z9=4@Y|$SF;;9(#ulII-A!Rg~%eNpZE^DFMy*KATqxQL4ug6;_CY|~}VH@p9@OK%r5#>YRwl(v(AJcf{}ki4Dj{^ZJqFpQIOydV6ds-iJU#H<99B2chwT|^ zxtdHzJ~mc0H_IIP=w)#8$}E47R1jwT*q&WCCZYdimv;EPh;Psx3xB^h4Iho+_~tGq z&az2K#U7)9Q~{0p4>GyT*)r4gO)qL`B306Ae*}$Ep(i~y2w3fIU%KkphCsDt6;s6- z-)FTNp6S9z|1;WIV(bu_t3HL9t?$efkLBQ_quc&1RUJwmhfPzz{4pV-N*X;=Ny(2b zhX;9m#nuVhv;4nmM?}q=CnYDQ#>I`SYJc}|X8!}e6A`^=%sjVt*8!_ztkm*pKkEqH zi@BFkQRdM?wwm3Iw@8P7ua~`i<E;X&uidq;jEKbqb<{UB*QZ4i&5~cP&R_(h zs~!JNkf31sct>`;ubBRV&O8Zj^5&nX5=o|d?fW+yDH(~q&CT-&jXw2``|U5!g`kCX zaP$Ti`Kr%61nZrmJ)~`TJ7WCDkLzS)3~qmob7Ym}#tr#<_gg$86QCdAu zx};#lOg`1ueX13Ep8Rz;qGI2$3rHjKKRz43oO=A{-$X>IjE{)^x-!vSp(m)s>FMcG zzrVjDdj4J-b=$Nv_1|BfI^4q(6pvE;eW_XE3zdKWOI|LFuKw}OPW!8WfA>P_+nL9I z|MUNK@ASF9e-c>g{s< zq@xeMPCRkQn3G4};5#d1Sgil%!sX4>l|rT?Xa8|zvD5K@efzIf^9*FI5G0Evul(yr zBGZ6!^s(ZnU1BjI+oAWV5J7;uwh}DCeVzYZ=4{3Os#MAVVY3LQGx_L+l=!JV*yPHhUE&kerw?TZ1G=yz$;r-ZeS$QGmg*OBGrt&mWfDwi+IsY299n|K;{yXQmr2k9?UOF2_QcxC43$+I7hA&I~!? zyL>n*)F-zyFcq2*#!perRJSg9P)-N)>(A84Ti;)6m11T+;%->oa%N<;v*ymNV}ETs zB9+O>$z&uL`mGR}(aa6IE_HRLDFugxO|O>$_p`C8YRu;KcFJv&b~^j{UIi)vht5c= z3XPu8pvOf$gBcbVy%yhbn%+%R7+!ocaJ2mFu9k6vFFUvG$HQpf*@2cMu`!3ubhdv; z*9&IX$#COKmo6zA?G;;(<-6_Je5B-+U7Kp<$P>A7<58>dUM7Qd*mJ(GnctPBJ2!4B0i?{amsKCHE{?|60(uHd;bs5esn4+qgODK}|T*B5HYib|%Q|=X8@#=KjeA=+0`oMcD1Zt&e)sFf%cw6+X!N4y)UV(G%I2@5}o-=CVG0 zO`^XH@{G+9_M%grnuX?R;?&L$QMZj-u2$F7bXz~H)^R!7JAHkquR4+DT>tHf3_)s@bSsfoa$e2FpLsNi5@6oW)#Q>x&D`OzpLU)Bcf|*X=zvpagRAX;jm~7kBB=& z2Mumh*pE~mX%4&fpw^!zl#bhSu(;)7C0I!ce!J8VHZ4_?3r^q_BL4yv%C2NbW()!H z55B%ZbkN5mO%LZ`e^ucY_a}~mzQiDDtmg5OR5RiPhpPoM@86W5PD}B4AHOm_YAUa! z=T(C@3BhI<;hn5W`-ScGnZX2tvEYC0IIyx6K zCr#n@QNk$DfbA3Y>_U1EuCAjsM{RL_L{pB)v7*q2f_pXii~PaF+p{OU%G}*Lkw7VMp=Am=g)Qs3JGNEIRETDZA{$3P9E4*ItYdJYabN4$Fx zzzI#upVKYfTf}0v$1!x=uv=Gb)z#I9j{i_@ZVEeSZO|67&ePDhvQ;ud=NmazgqSyT zSVz}dIVi!S<6x^-(G1Zc%+Do%=?S}fD@>-nX=yFrrAXxgn%hKKkN3?<3cKZQp^21gRP z+9L5YC%le&y~0d0ZTvOIjc^|ypJA6dwv;{CJsY4}L+dA?rwSp!?i$I)&Qz=v$`ZR! z*iW1v!7O={Oz!aT{Hk)Eacj42s}N(_bDrhkOL^sQFI28DIS6gxuD;o&uu~FO8)~ao zIXru2mko|Uw^gGrzhvJvFso4X;EdtfgRf3< zd7^9IrNR$x&i?+s={Pmr46rvlJPCVvn=M|8er4CKMHP&0x#@gFXjP1mt6d{o(IZp^ z;m}oRt%-}Qs|ABQOb5F#w?5Os?=T$J3_ ze=eaF>Jt7YDv{>EHW-wW<(*Ypy7PwqSr!iyuioj^TX$NBSFKBat8(7yerh50#^i}> zy+w6vPQT;=S7(z@SBNIZ5uFen$Yte*G9|iuU=G@sif^pg^Id$LmX@ZOYw+IhDxXas zTB8HDYV!2-GYQ2f4QGKnIRn~Dg`e=AG3Glk_s78;AYaxq#&%j14JG3a7OWbY zn##tv*~Muhr5Uo+bMCLKtd!0qM~;t;C75(1Gu^x??=Q5eo~5&;c;(CqHjUhe*4Eag zqi-oMQB$M0hF#^RTB19kRzUtouMfG}pW@iS5>RH=!;TaNAlr!BZTorcCRkR5Teoh7 zvXn`MKnCMU)mxK#6g?^t{y2z7;Y9z?`r0mqT(`Oy4dfFVPL&jODmW(V{1lHU8)vL%<1zNq7 zy`d(f5?807K98JR-RtGSJ-V{8ehjiv>MT8FS79eXpSHQ}lJ$!8?Sn0Ra6|;N1i$@k z5RXNFqMY!~Lju$#UZp>oPT|89n&1yYm^Cu;cnFMht|l@5Cbi4-HH+ag4gDHl>p^_* zx9Vz9aM{0a;XN_X+Nip=)@*UGgo4xH9VGVE7M(r6O=8 z(ui%`KRDQ^p|nZ`4uGFKqg+f7fCePpn4I-l@jJ?HZ=tBia-{21Xz0|Vrv!xtVX~gj zqQpY0b+o`k42FqhKy7We{iAAam)zTp*M;)#NcpeZ_E_|kGV$WkA5X4wJG!G?#4ZVi zI=E-wQj0N~d0WU3?t5ZEE}uE>rNm6%@l}h*c30IlaisJwq7U{N*^lTL?rQTdKqIr0a`AS|W$r34T-p$xz@VAbHWr*?9(Pa=s6jy8@QDgK#P>DtSYp1q?bq# z``8YV5&QjZ>x0!s4hnA5ps`{QM-wRMa{*eW-FV%3QE~CPKI7P|br0xT77t-fCLSJD z7+AR)h#Cq(eLBCbI<&k?xFyJEvH;Rt@qnHp>H9&$p(vL<2P2;hBuj=jDKxOq4 zW7BO3eg)a|CV(t8OYPFe@JEgu;kW+r`u_d<`A}D5XlxwXtLD;e?>yF@B1e;@gH=6s z>eL56zwShdK(dGcFeVBChfGA27-QWO zQR|HyxEp+YCEwRPSqd$a_mj*xKN`;%g__D4W0WmtbXns`y5)(UP6aea zIXyx;yyqmlq1JZL~-co)HOCr8RcmpVh-}(1@&eK`hr?NM6l>)kWl>VQy14mar>f(v=u*( z_c+*4gMeSo;GSuF;`@q&O|6gALYk13rGOMKQfLP;!;FW7AoiCQH?JV(icPCf8n#=v z(AHo=T-@(6u-)$6yT^Iu485NY#Pb~%2h%|0HKGL^yCGecF-S=A_wn-!@%HwP;5K8B z(9C)ICRsZC^Lbja8+3FJVah>$=G}7`oQLT83V=q$lpqQnAxvPgSme-SC(qpg?ELMZ ze4|?n3C+AEp+SR~3^@!~xB%yxl#-Ig>q{K$>$$a7ksj!GxdCFA0qWmxYPn)>vE$qO zi_qU73BlE{j}?2+Iveo%t8`F?5h9)yP`Uw{h9gT4r#m`2iX;l1oQmDt-GgId(1!^Tb(-XH8+ZD0nTSkbta2yZhEq3Q!SE zMk-%6)Yn_*&nzyYPx8hf?Uajvf;mm-cRSK`kkqYu)Z_hQ90{=tq%a<>H7AdmPsKg5c zv$IRpqB+WHE4`T86%}N$S{d%4812=;vwWQ7N!NNx>&KtUo9D{thZxUkJA5(piRT9l z#lA;T$rCBlr-5S;5^A3DNT@IPmf0zV)Q!%JeDOk^#s_s{^f>bRGQWL$h-7bO+LHjX zD?WYt`Sj`2ogj>eNk%1t3JPM9%7#RL?dLv7r@E}Si5D2RQiHRjByzAGnE3TxLraV5 z{rj&FNXc!|{?NEJCb-KK2`68zuZOvqfd_y}MAQ;;Ji2^S6A4FC@|ep%dzLy@N=(My z3BrPY;C*feo?$oWEW@G!@Q1GznD;4yFj`;L8h)_){Q=1gc%0U50*th@4@gAzv-QQE zSvz2dRu)3wZA=qWQ)+2A7MHsV4p?fB?I#v}xuQ!rLIvH-V2Le-h({UX*n?eBYM+=J zTQx8=H0jNL62W5;0W5xniOIMypkr3F^~T9R zWUVtRD(dP-axO93sg|zs`anP}>CksZKxh;6cMq5ucH7sUmK?bKTqNZ!5pna$eJXJ! z$6VI-AZ|W;DzWI&`BNie6&@eT_$4=wPH8xJ`S|G9j3hBjHc7mh>!3Ju0+F5Zx&Q>a zAVeyN3`iq${Q8EN%Fv3Q??SC#@tG5dwV*GY7$1kqd)X&Xp7@O?(&;!3*}H5FIogBr zGlKxk>0f`np`hCH_$H7MAJF$hf)!P}Q{cb1xiGix0nT(1_#o-vK_cQ-WI5DXWQFH6 zB#k;nOxyvONy=Qnb==K65rN^cMtnncCBN z`sfYd@p{6-!kXnS1xUe1ITQq!f)?9oV8Nt95Nme;f0&Fs=yI2hb{0(8k2^(hWdwWw z7#pLa50hdMLL;YFxRoT!MyG?)tn2DhLDYL)04-H*=%LPyc2M$E;6Z;Qpu?LJ^j<^e{tZ=>$f(n=!;HwARfx~Znscc~ch+J@6DR|mad*Xb{QjYQh)~1PcUFZKNk09sDBCWg`7kZfF=mb1@(Fi+4qz z#k8`$+gHvYL8`^#v2%t729HWVb%vb2n1mW%Sjd8|1`;-zB<44-1bzAxS65eeVF8@3 z8+Yy$KNR7c^YWS5`y8w1GRTRgK2$OG7np^PQGk8y ztPf<|n9acGKAB+n^I4LOK^=RDvicXh(XVevskQc(zKW8{>}ajToy{ogOBZCl z{kmF?V_B?wLbY#U^}eUA_rb2vn06N72aTYUJhCF7Qo(9vLbbH2$z`Zt)!_!@b{y7L zP*59+1r)Wlqi9cQlpVmzurM=A!mM0I-;hZLRhM58!9BTtPl5h*1B+>ogjP2Ixpd6eLK~-w=~EbaW_z`OgQ?4u&TMoB;`DZR1gJYChp` zp5fLXeS89yi(4=NcTSwUnhIgX^g)l3oykb5)~+JFN5=lXn@o(L1{gPm=g+elWFitX z(4`I5`v8m)XE`O-LlYzx@uBSPvvREe$juNDsR;{kq+t4Ob}m-3v#%~Mqe6>{0PF=2!n8| zc92VZ=$$eI@g3$HsxAGXfx#em!zvd%{&EzYCzji{^BX8 z>2cSlV`GznI&c&cqOC22M=*o&Jjh6hss_Y}0q1r$!C$x?t%J1#6*ZGpG;DK~hLSP^ zIuqzXvy7}lD?FOptosHRS4Ymd<*-}&>)@Or>GFQ8BSzPGf>b8zjsiq7ZS!+nHcVjy z1*x|>0&oT}>1a-T?wl&1zOD*)S7brKrE&E2qJv!PePj#D%gcvbBT0C~M--=VSB6Li z;+BFCX<6bPii#qn8qRQOgdzYoFbT8{M4#k#0sI7kbzZ92lU2=7L9HW*S0<9DALoe! zs>%g`DvVmP$a{1}=L;fU z@T^1nVo<2hAiNdlu9rG(%;?T4dU#YUmd>#wvWmbkP&N7bwdY`tO$wWoe@G_Y zo=K%Qr_(Q;_BYfnxypWMLA$4__Va)nP<06Oh%U)7ROdwLTvv9yRSB0X3uF~R=Yu&& zrxLM3zkyo8KRrgdn}9Qv|S?3%@0-0KmPMjnC`=@ z&=)N&E$tWq5A;Ig-#=8w>SnbP{k8l=MB3C{dSPULAMjlC`ag1YL>s@*$Nja4L~${X zPyC%2CF;ERXXOcUeq2o4Ke9>iW79wG^TOrTFaJ6-=*8cIfFJ*v*prw0^zSn-eE)lV z@^Ux-kzXR3J@xM_ru;v0FYu$$zp|zGj{cpQf*&RC{+%|xEA-|6ljk6&sjS7K4}J8wJfJ8ad!WOLZ}?){V4){v^2sM_pS z!pz=#E?`hjLwZb{7#j zOzqr`M};1HNjXg`BN5Tvd%srxu~&{?`&0HWy(ao2`!4_6(LXlfe-Hfc^88mQer}cj z6r3UvOuk(d88P@rKM#Xn_A&}lY^`}g|{I& zXy*D3PBjifmLc=$gocp{TSji%TgoH_!-Rr6*I(FcL0GZhBi;h42BX9CjEoLn?IhVh zh5eJwi7O=`A_~&rJ4E9h4$O1g7=Cb68b3^E5bJZQ`k3c2up!krNC6aG^>F0sbQ;vZ zsrvmoSD?wEr%muN3OV9dqpYkv?lb3k%c9#%NpthC^*IsI;~{zk=x03if@p<7!a2&U zq&A{u1-obXYiwHitXd35;a3FqXO0ci5YNudb-=rvxjc^uk1;bdufE~Yd$w!~S#@>C zQ?Mr4=ge+U+)g(SQdP<7ZhuF#eMeKJKoZgj4bC1|qE1@v}xN96G!L%FQ1TzbG&IaS{fJ7DzJJoHt!eCtT_ zYMEK~xuFYgV(w>~0b$O^OhbHbbt&cqeF)f|J-%lw>QP#=z{di6;j`0X$3y?&1P*K4rMlQ>w&Y|G!^ z`^Qw1R-8w%PSO1~jiyu32S|WQnjU$Nc9Uy5ER0Dczux zPi3h%vQEh7#;?fukWbw2zdZi=2hodH$nifvr|%;NKK_`FPHP#t=EXHqcjPRZFzW9a z_T|Be6iA6?WSX_*iY``cEowg>JuZQg^0YPa*u&yI(#Lct*(=6>+^^t(D|HJaw|T)m z8~(o408+9u{RMN(a}l>qP%#4>B)D=@m#o|h$mOMh_*+;kqzKExNjI+l=Om=m)fvM1 z?In$?Vc1-1A=gAmT0^IF36~8`ZX(BpLP3fi*`H$`3HT!x#Lqm!%<7W!*r}rutpjWNj0P+?9h!POdwN1Qp)IEd zzuokwm$he`HU-RMA>X%uu;keqi{4j)XtnBQDddh@U(lXREKTNzjA9F9S=P4o{ipoy zIgSI{S;sKyU~@6_7zzK)NXJ1zsZh3NpFrIvsv^7s&oSpE_ste^ybvv;`(EPubQ`VS zVMA!gld5y!0>+kNzE=VUEKAs+-!Hobu1$<`Vvex0VUDZXG=YA;x{;fji!?T#Z-+(l z^JUy;8;5COrkPAXBUITnLWIFJ4XB9hvwa}|RzFw4 zMN`|_IDyq!7R==G5$~yXylzCH#Xtzv*8Ea*G*>G>mkb4OJ!J2>_P>nwIR$=P>xezL z?M>y;%e*vGe9^Bl2TDDFP&nZ?uv7<7zW1LoEJ> z8*OJw?d2z1V`Bs5g!u4Rwm-J#gs^KwY=x93}j_mL&~fX7%5xrT<(F1 zMpF@V^+lw$^91owal{JhKwY`J(_G! zS-yp!t7|m1JpY#5Qp4Eg zc}TES&W0lqzsi))4)-m9=pP8Fq1*MVQ-qeNTX}W^lh*pRNyt7KOtM8yv=V>}v&dXz zuM2zYaJ^O}n2mB}`W;=pQKUuTey>1RB4p4?cIDJUtMPQ>ei7_RV2ygf@5l42IyQn9xX3G3Swaf=1I ziG&KLnX0JtFSZCQHhoKB3@LAM^=ba8cbYFEifCK8(@#%0u*j?k4F?9d=?duE z)%v$W%R;Cr!hl^$v<+>^XgZWZ0mIqg%d6vtjl&*u3v?2Y9z@Ya7tZJJb5r(;NI=tN zsR0#L)nxrzKj+fTnG;3PBAy<)kZv(AnFuj#gtm#jBbyf)Wu?JvAc+>itwGz8nYWSc zj;$3Xqsf%3B4h+PKjFz~^WwI*hI_2KWySL)UqG<3lZ%fd)eNy8AP+hP)GjmhAYdT-&AS z4%@w$8BcY>nL9Rj51;SQaGFnN)72}D#Yl>ZR;S!ihx>G^{M@_CX~;C}=DOLq1-cAI zvBYal-;5i&{V4_5Vb(!ITfIW{v&PFFVQLIG6x~c)p19YX8f&bevkmlwUf^v?(NREGa`=*+RZfn92y`Q zzU@z5Tn7a+;n0zi(IpxxP>kV)0pw1DmFC|)ymIZMv34zAyst)`8e=rrHR}kZLv9{v zKge3^b`X|pK?y7-B{>0Z$R#y@+It(6CGew;w%vNo&#-ZG$O^wc-A79zv@Q>mY$tp_ zELp6XYbeypetb{YV`c(2Z1KAG2)hn8QESUGcDfwdDJQLokun=$?u#{Yk8<5q=NpPV zb)Uf777*pypM_t%*b35>Bo#6lDnc-9!Hw+iFRtPza?bltY-nJNePp!~TiM+ab*b$z zW0!IT3;FiP-I%p_6&WZBj<9F_S^11U$WgpW(;J_aBeeIgrJM4RuJOms6N}= zdwXYB*Ypkrk!4+ZeUZz3cU^A30`|_x!B49$%nfxL4VmG2?G+F9e5v65rxwuPGt_-+ zfVZF^R*;CX-j?9Ro)YWg;S)64rbO_1h^m zQ!kE@JR(%>8u#TII$O8u+C$v3w04#!s>z35Q>;5vJXC+MldqkJ=fmgu~DJ@SX zUdX_2q6Ia{Pg?YX}q?QGvbA+R_#lpJXh zk*=!JH!G!;wGa=t%CtuC>2g}>ZhD54=VHEL%K89SPt5OX_}&S;TA>cilrV(cF_WuR z67IJ4Bauw1u@L`c@2c>~@)>eYgXR+?Li*En*dN*{r)ou$C_D zH_bpqQqIqf)3bC|PGfuVYp%r}sHy{!xmZ~(yM}f{skN_b90uPlyjHi24|V$|d&m5n zuN{!o-_jFcV07Diy}sBX0D8RXnw~HnyppodCWCFQAfW=tOV~u9Ylrh#Xucg3pd%65 zmiHPn15$`(*-nk%-h5uk$UbpH_W^#1z(K{k6n4>1;2M{46Du2@@Z!L>!6aoImZO2V z758aTsB{WYlktE>kxYk?441`h{+SZ1M+lCacRK056L)o)K=nz6r;m>KGHc!Im5Vl2 z8@vYHO&S?Oo(N0>sA*6%c( zlL3nJt!H>ALp8DqKHhy2$0dSjdW)jrkQt1O)pC@_fk;J6`Q|VSV1xQ5axPn-;9xkV z%C6B&QQY~FAwDjGTZx^)s^O6;ys=n{Sdslh66d|FBHQg3ReAU$dxi%NbH>02C|P++ zxmHw5=pHenM$pc3@k_q7b*@IEmBrElG~W`grID6I1SQ2@k!T)khQabc*L=wqLfa1C zRGDo%R&MF4L*0`;2dstd3O!k9A@;ClE|AW%VzRZw{rf`F1VGz*>sp#nq0K>Ba2|D& z%lPSewLKry_>p7#ZEdH99FqZrN}v$DHWlS48$+?B?6F@(6Iz&-kj`#44Z){`f9UzsTM^R*v7i_u3jhJT|39C^*upln+XFc1>%u888_n zln>xIbje}_@KYG^LI>Ck--&4qO>}~vFmp<@jb=z$5giVqz zTbG~&9EAR*Z-KH+_w@K~;L7KV43|s*k+qPj=>(WzN_ZU4lQTFmd@;|h zXDFE_BTHI}aaZG8^dv0f^7JuOT$c02h(JrAs2m2b;dVDL?IluEzD{-z5p)PIw4zIi zb#|$+U3H|miU+uccuHWL6E5|j45~izNY^$CFi5y;E$S4?*~{1i?>>?&#`7BD1H~Tf z8}}J>$Z)P7#+S^sVB1rz6QbN^>&czwE8B&|X>9Fe_gmhF6I%8MT^h5<0jVnYD1&#Q z9pNxnWcJ(~AzfkEcT~>NJa=Ni3Gx*U+DIV}&0)a3NZV$HzVETuS>feDUa-kzx^_=? z7rS^pUH7d@_R!dlRE2~nhZ+;Uoz6hDzQa^~zlQVT)B*7P4d=shG**XENTC6)V!elN zH!Oh*s$T}J_ox7QN+U=o^k6d=rl=o07Uka3$G04JjLT>}Y|ws6$Jwghm2V~SqHT-w zl-r1t$RhW0!kT9gdI)PY{VATD*FoE%&puRpxr5jStk_QzJARSY7W(*u@5u90j)7Z$ zLeCMt4W#4d<~D3}Tr6K(od9f}yBg~`gy`2yLiNVlcpak}U-w*|ZflpCPBegSS=69g zM{@~iVI?gsVS$aorPxSe>}LJ4_uHwLPe=?9i6QaaudNi6-0~STmdAg5d zkh7%pFy8@4k>7d#7%;T$mX2czL{N_TgVvM5kN5W67kmXh(F&>*89Lrw=DOO`(q+paP({`4lutAc}r zO#six3XXnbRnPvtew94f*lo)fxxiGEyDa#WxczFhoS(pG@w!O9C$tyJk#=+W!K@F( zX9kGyAa+O!13MimpNv%Gb87rS-8;5I}{a5Se@D#F2Oez z`R%D*X5XJOU)-eXpBfL8Z7JiO3T~-g!Sf4yuZz&>*ZQ(yFRO0T_1r~8+1F?wF%Z=M z)83ayHF<7(V|%LYQSkKGR;>(GQ7Q;jka0b z(p2gc($MS?7QmQ}EDN99j4%{JVOch?jWZC3Ei^Ta8pt*jwqy`20iSkd`4EvSoHWhP zfBaZIH#5?2QerBoyH+_`jO~;btyM0vk_(HYNCTlPv)(7H_+Id>y5ZgLO!ePBIbAO7 z>~U}I^~ucGXP1Og5%f4;Xp>5YrSr^n?rl*kTI8#eF>0id$@J4BTGGL>Nw3YjT_*7+!U>1q8pXRqB-)-yJ%;HN+~cw)4Lzn`BDIQg38K7WcC zEXvCHry|Cp&Zl{SVMe!_{YOZyNoH2?qs0*ZSIy;=p6}Ro`t)ho9Lp+UuXPB2D5C2Z zuej6RK5mj+3Kl|dTpvES6ee!@BGGh57;$}rp!;cVv1b#h znDq{TBlz2d29*d?*D9PPY!a2A3dd|AmevUwop;OvsL~4eu7>E>5MqwJM~{xXy1Mcp z;(=h-8$uyfOYgSyM4*xGwcXD!_VQalX#D7tj?Y8H5Bjk`2OnKb|0?=0B#NgN&`Ozp zE6&6799K8oD$w07Yt=0!vxC>syJ{(~g&w5MyIi3Pt+=08JqC8_-Uqd+DY_9hg#yW^ z!slCQcOby64H#6R3P#jB77#r$U=$i!cXh)-!*<&c`GHF#*4cuz{ZjM2P4)FET0mUL zNG*OFzW2(=?H%TpmKL`a6ALPOjSKqWtS~NH6Iwqu>k+E<2GuT|>D@n@n&CGOO$H{~ z3^*<`bLOpOEEi|o#zo)__d&UB(8U~XLolayCGl+#X}`TV%7WlEO!r(LgQ(8QiV zd1f<6E8<72F32dJ2N3$uJ9nNefl8$b5yqVis^S%^6n4CL6*moi12iPl;MZ5HWr<;t zIcPgC%Kiu_wn$LbgeE$qfDYd{cr)WSDTNL*!2m;kp60G_mM_O?mLDgjFV&WuA>2|> z`rL&EbVWB){Wiq#U&vX0bLdo0PY&>u!l+Itp1s8DG`dDOV93C%MAD)mkH>_>j?r-ssqwuBVnG z>w_fFyJXh)ufO_4FRZu7Ey4#EhHta}J3DfIX+`3h=D~P^?yT)ZhK_^q0 z(B1f5o_U#Z+J!3La&C<)lu;)EG3bSO_sN&Z2s)3gyOKKv#DPAnX<3uf=LU6)C)^^u z1xM;bK@Kf%U&fUTTkObz1a+?lD3J=c0Yf+0Q|k;RM2T+9TI9^oMs@So_|hSAMZR0p zxN|^eoOZ1tgnup81_SpXSjs+4In!IXfa?XialXBuLcow;Y`FgJMt80`TKJk?Vs+~k zy~WX08Xj)l>%~j2%qw(Mjsg4=s*D%hRc#?}sRo;r11#3$)0gvKu2Ie3U(Q-{iJTsZ ze!(9Ga(6!2WUaVw3Dpw$L8>)nN7pf>`YlAvU7=bVgDsxUK!ZlH5{kaT;i?F#RF=ZS zLBt4hB5(;DhZoG5#?$t0iJroV!}KUoc5!j>bT0?&wA4lx=~n7`HQx(h;j2%8*-Gr6 zDttP_jXheM7!+X={PrspCt2DK4U#)uY`)U0+wppTI5WC@nM*;GZw?gc>2BBiy* z}hdnv0kwJ zD#gOgNF6<-d!GpF3*BLSb0&Z)@&P64tz@+KLd7_S#fT|@SP3}%E=Z)eT?{3ya#_p< zrFzmH>^$q(TB>B3qYZAX*M}3OgP$Kg5q^&8*r*Yi&h-Tb5QV<*5^_OR9KRwQ^8HK< zGqwx-{A6bt_A!N`>o@wC5d{>DpcId&o!QETp`s0Tz#^fwfZJ*Jq;A{_nxw!5&rHnr zDJg76P$-C96B#;WV2_WUM65qIsERf%tmYelgTSu|CrY>%s=dWZ<=WM4+=Sia6F{Sd ztX2S#xd*EY{e4uWn~sC@)lJTTkJKIdaa}eQh}1DKvyJ<5GftKd-V`taxvy_H{W4lnt}Fi^0pL^26a)f z`%_c{9Yhw))Ihx%KH!Ci7dKwoGl#t2x8(st!S8onkl^rV&(~8c_ZD6yFhMGI%*W~+ z)8#baR&kTKW~iD%+;Ov3^)yK-Vn%Q`b6xfM;dyuE^Zn&BpDTGxKAkZa2FC(B52mzr z_f9E8gB5?PZ%*;!y2N!-}S_<0VZd@ z^%=ww@r{uuD6AdtixiF8P87Fjw;b7Qeh=CNE%G^-TFe_01NOy{5N&SFYvgwmHWEmo z3=@N7$#n4mfg{0>EEyCB@&il6%GExLm}BS<^`Z)K6G2stz#A1c* z$qAUS5Znyi9}$PQ_4~ez*!;#M?NYBQMl?)3BM|A$RXPoBhgy_0s3FxqrhIwy2YT2F zyF#WflXpKRj=uAVZ^uDXn6#kqh2n0epB~YC{=9BxApTsIWot%GYZleD{zJ zTP>$a2I3WQC?}z=y0eHQ-}2^($HGsx(YrRNgj`flw0d=0DS0E|((p-*6UjcK(p#-8 zh9ErNjQ3_5HeKv}RBw@TF!*G2R2wyP;kJQxRSZle7!xg1Xw(v>4nxO|#*}M}*6+y1>MBaJ9gEV7(u4Z?<8uwl3^eo> z?b@1df7*fyr|BcL%saIkco|TyHUR@|NyN}~D%OU3K2`R&j$F_F2_};1oM20DL>(Jj zFb`Xa9qa1sBtZjDYNy%RW75z|g-=&+Dhl&~5^6Ml;+getc2$(l707m@(FP9|%stj*3UUL0D79S}zh`y<SI&70SA4ehFb*l~cdL!MD1bt++`=Fjo61t>kp9`QU*)`e`v2;hNN?%?4T1zS1 z_r{>%{)yEFqscdU9;AmJx$(kRj-1A#9kFBftX1`E3fu3I-Io@?_Ogtl!;n~*viILT zV4R|@Ti&&?8Xr(jo>i$kuiI~OfZZlG83R($!O#5_!BTAY$R{< zj8>*Yx6X__$|5%3iHjXo+q$X>Ya!nw>vvVW$z@SOR1!QvJd$r{?y@n{6wp0`=n1g?Oo;4($XXt2)D@LmtH)7Xhwn!z$^|OF&dMmliZwF zn&VAo?jyPbG4eX@;!do#X1Hk>Z{Xm;gAXB*BSi;q1p$4QvB+>_3p0IY0lr6M6;Ol7NNX2kU^21riuyUDc?p1g(33Unq7(*+un4 zLsQET=*lvBOPA4z+!{3F@g_&DG>u{CrthmN528DwMm!z|1UA}`FGQcqMxZHYprl5N}erUj5xjfP)r>GX*; z$C`nCin(lw%+!N%*pXIe^zBYWW_Q7&;p$orXM!EUYcr5a(kjOdSe`(9g>(?Lol5_@ zf>@b6X}BK^Ct{s>%0cN7AP~k(#o$``c-8E&t$QtRxE(mSb#3&y>1^HmDLP(OaQWik ziQ6R*WTI6^OOly+@v(BYH#b`uj8R?HsqMy>&M(1QPu>zt{yL}f+4-l?$sn&GE{OlM zK3*^FNhp0jc6vpYoka+D@&2?Ikst;Mxo=Xme5py%#C#=!_wQi4%XSIulyDt z9i?<>BsTxz9v7q?2>{@pKeVLep#++*D;10d4{mKc@HP-AB%>LP+-v|r_HMymq|p+x zG$8ZJ+mGg;j4@^@3HvoX;kOTAt|&$}J_{1hGc4yvHb$qzM!uUQy{}gni^(}o1>TJ> zkMs=PgST7c?I^p$T^Mu7yrmjFD+;PJcVlQn4gTkM!3hrHd?a)9`PVG@f4OV;Ph7B% z8IA_hbN6=Do@&=S%{N^A%|7COdzp7{v?FLw=w4>{C+O>SXu0-5!5hi*Q=c2>6#6<9 zsGU>t3*_u$4r(3eLBEk>X!DXek4n10MXUaGeHI;Pu zOao1Q^!f9-50H!JX5cP2byRCQ1iBQQ(G9&YKmB4fh1JtGN91IYI;f{~=d<-n=xtT1 z?^jSq3kj!m%YxgcQL;>uENk^_tsOZ>ksfhmyxqTjK-e}p;9Gx6y$R!HsZ~>u3cH!| z;6i4?HnS}{^VymHo&?u^>*l%YmBt@Cs6Kw|YKvvSEpjcpC(MYeMU5Rp$Kh~pm&J@u=<;g7z>}Te z@hU}Er+yg;JAZs_q48lD(du&_hHb8bJU%d7Z(^YIi(O>l92g(x&hGA1h4=Lvv%~B| z8Sh44)0(z!IHNap;wJm)9~yN^`mgt95>L|lQHdga)n0YQ`TmSGf49K-Nu z9{aP*2gRG3-{b@)sH(jC>Od~fuFaiCFs#K5V4Rl*F?3OzwNdoSXzx~c%QC07*eZh@ zY^-PhO4y0e&`|T5-tK_ToxRa<@s(rCVjV(HcWID)n|W;Jy+EA#mxP)TZKEQ_>Yn(B z#X@UgU4(PUq7N;pK%{*C>IU+?W#85bjE?qZ^I6s=$;&d~l%q67mnNw<6%unpPSJaN zuVjrbMA(P2YBzgxGt83$MM`%XGPhN};vj|myKXxaaxG4koU67nujD>9la8x>R^uHA z8!oF@kuK%iSc>J@$^I845jfF+ik&_EP&8irI&%4iXIeo;Gshy{hFrKKm!^de>>LZV9@S}Xg)rS_sd&0Ch(em-l6x&R zTeEUMa#Z6;r(y7k3zZU@V({!5pe~xQ^J5ij^~8gE6*=h5hOt*8&yKt*r4VcjYiF9K zSFiV^9r|S9pCV?JeVb{YN0) zRNHM~o~$}qJ@KI1;L`Ez=xfu90119sg1K3%i z=1jU4(R|LcGmxQbi7hkF2oE5iQulpVG{ml9CK=eTv&}Hw=X~J_zACW9p7hX;I8)+E zR?@vZ#Wf0HRozlDFz;WKIF$EIdI-BRRp7MQ!u?-gX` zd%D@_#qzrMY1f+W+)PYKw7I+_#4)UkeJ2!*W?;X;U>oX*H1pkjetB@AXvWU>U8x<( z*D@)%a%w6K(@<7%t5I9~%{~rBXZzgY`JY$pi^V<8WBr&K9dYzxeQ$v~Kb;`Vm}Glh zQ|vTIF(5=|rnxjdBA91%DRA_iS8eyqOeNHd18ZM#P)~w?sMQ{Oj6>UH;(o~zSJ^Q_ zgRo(`*o#(byJy2vO7atidCG2Ek(F}l(?H{(C;l`6-+nyDncsS~pV6WgcA`qHy9!|+pK1(yuH7uxq)zDjXqi;6&0KsuOTHY zKgu~K-Y2XG)oyiV1f-W})AkWmgr{so$D?plYZe!(xofIT5#iH!7=)3|fe2~6Q9y3a zrZ?WWLg7rC|Cj`feN4sUO-jb4;Z1vzyTcX0|7cRy_>W)tl~r|*ysQWtIMoM`3s?B=pncJVvb+y0Fz;DN?IH@#AX zazF#G%eAKdxvuGl57YBA1TB3#<&sgEgB-%k%;N?hnkdgreP|ry zSI___omKi6-MH^&1H)##_B-xA2iAD)T~pkJf?V0RzQ6i>hhyHgq=B&F({*t4+pm6i z_x}mhBa5ZrGBL8qzwWP2l!7wlburA>u!B4IV+0$2M8ewtGxRg;*)3P}d3pupHN2G3 zPk)7+7-u-iL4IMJL0S3`{7pEjgpo^nZAf_{JKMWG-SIzM=E-+*>#rE37-7+QY*mB_ zu=foJZr-iw-*FGfIeeh&-HswonLK)SBR^bpkF}SU)Z^z5$IgBL4~X}Au2F{2wgUsX z>$;QUZRBKo_o%WS54ocEs5K%hpd|fKP*9YK1RCQN9@WQ9G4%Z&U19rPo7DRTIUwEx zXn5aN%RFU1eXmXCeKcR=+A5AmxkeQVZ&; zOgt~8^}bOSd{OGVky)>S`crPZ*U;-~E_k~P0PcMC0SN#)K2;$U0clvrqX^lhC?2`{S6-7I- zg?O(CXrcdL2I1KU@_04MEA_;icjUg^O$kxJ=|Pw)yUK$$Cw4Putl&Mj)ynU`s_UyL zUYKcaA8hYJ>`WO2^}?>JIxQ1Qa-Z8Ow?))9zx+X6RmCqu{!1{H(!gKkw%p@Tlz-au zjQG8L%o$v!TkmOzpw{nl|QlQ~KkazBBW+%ET zggf@j<(pBqTuokqYN@}E_qOwQf3kVu9<%i9@i#+bfgqw^WxN052u@XP4S!t`?;|=4 zty!jqyIP#&)AtjYRI%Lq`DQH}t6D@=0(iRpziRmv?oG~1difn@ogBCQW_wwCJ^a#H zHj#8RHU30jijeERv4Hg5RHpTZKh);G!=lw6diaMP{-K9R2mUD}MhE}d1$>KDHujURu*#($iKq$~G_KxAV0LqlX@i22_=Wek_u zBlt{em`oPH);(uODEb!!b5>Z+e?N5PT!CJ^(Zth2E?4vKhibl>P^2%IN>H&b`uu5i Z-CrEqhmEri3($WpkJ@}wc=+rO{|9l-$s+&& diff --git a/docs/complianced_image/QEMU/picture/download_02.png b/docs/complianced_image/QEMU/picture/download_02.png deleted file mode 100644 index daf95ac0976f9270fd52ec9af46f853223df3f92..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 27041 zcmeFZ2T;>_+b)djDkw`?8!7^eir4@ZG4v>?C@2U>Z-N3+BfTfCAgBna2uN2!>Alw= z2uKaR1qi)E=t)RO&K-C6dCzy=_q;P_=9@X+H}hm>AM=p>|M``>T=#WfzyHg7s!AMt zkM3n*Vd1!a>$(OD3+q!BmR}{=eu2MO=4c;)e|9=4+`iAo#)cnN8-f3O#QBD962g~j2*Y3N=EDX8559|K4JnHk6N7`3W z{kMG=KOb*=vG?0`v(Mk3iSiy+`OWw;p(XcYT`Py-_g~xk*ppwJ+Rd)Bko2+ z%3^T*8@;~LPr@3OsXgcQXg^+Rr6GsL#7{;^*k}jrXD$p&-^Bu?k9Arh->Q?-QP1Np zUu_jB(<<_M7c%P)#eX|=jQJfFmp>A+$<+Jtifoh;sUy2;4V?VbuOC;}$@}^9eK|tB zp1-)DY>wv2{T$E(na)p&0imkWDLo_Wvz_r6I%Rhx7vmj`fA>s=;MJXQ$0}EgZ_jqs z^SK!&sm5A!W*U|_GPX%3C64C4cV<`W1+pX@*V~m4KkoE>?R&<&fTd74!URnbDH?R7 zQ>Kv{U78a0(GoVU-C8+O|3)E@86UMzh>jx;FlwYlIQHGE~VRff3G z@kNF0Q)1#on<7_6Qrf_?af12f^|6O zafj`VUPRYmp#+lrjmz3cVLNXZEAtv#fncer55Anzr~TgCI%!|NQdh$%v#>Rvg`Ie( zV$GjNKvQF%RPWh;>dxbjQgjvHfOQy0g^#@2s$OvjR7tQ9MDyfVacrPbZ$E$j zycJW0P#((sq7u=An{+**J5Xpo8t$_gXSd(0ph?$&-}p?%R_^(Qu9FV;>R%^WXlrTP zZKedzywfv|jG@_YgtsJyt3_lPNtSkE;)SU~R2J`UewSOTOiMo%PE%6u8 z+u?IFD?PN-(k}V8{>afTemx!8{81k2qs<|t(+W>FsujNwJeZ_16~)oeK(t4f23P%M zrr8-by_rL>1UfcP2J)>A9y}O=q?2KF(IbDd_IS@>8B{E>WIC=kkVh%Dd$EWxT;@gu zt3i+F$$74`36`%mo+~1ty?n3#2 zGqqgrn%T@siC6yZJJjM_8|v#0jP`TxC?5Z~GD~xF|6XLOv@@<5A)ncb+k>>bd-l6`OGl3)2;jb=L6k@aVGg zj)s}K&2|X+-P6$MfOYXKotr`or>17xx~vA&9vO0LilIAn6YDa#1dmm!O=aGANn7~d z+Ol6!?MF)!C-2#s6uCU7OEo+;=kyPp3MR(6Scfd+zG{;cJ63|)xIscCXL`&&VrzKP z_)V{VAwDen;Mueq6lX)_R{Lu2R1Yb4rgTr6Q5j!by58FL;}11CRZs28F-@E09s`t7{$usIwT_MsnWf@~tuazu^5h3{xD1%(M5r2b z)34aKWx=jC2*(fJ+mP~G_7$N0vC)uOwxk~tG4xKW4nxLnV5uHUTJ=-u#sYEPNoKUP zgR^Bo=a%>f%54pF1h_0svww8&oiasbjVt4R5Sq=OmTXy3z- zjQAtyhrX)4)4Oe-x4(CqXz?`$`m38PF?ynbkGnA`7 zHdL!6=-2#u!an2D5~jecKWdJ++0w;AygZ#eP8#+? z&9r?gDJgMr9BAn-_gI5)FRGjU0DghT*!>g1iMg8i0`XSK1kEJXg53eX9nsiyvBv9$ z@XKjX#d@Rf`=TeqbTqhly%(Jtf4n_W<~$2wKH~QiH@gU0q0!qpO7pKT?%XR~)S_E{ zT*_XVk|v3=R<5sva*(Ko-Y9f(?3zV-Nrm?Kw51!M0Er6sagvh7jJMDv51-ze3HAf2i z724q|*IH$~mP)2qC!4V2WWx568xG0vR#k0{^IGzNzw>)7<{b8DR2AYZ|*l$N7RF1zrj6~CfKP23qr`^w00nbjX}$YOV{NR1Yev~Fy|iP;Z*)ytbIsB?03T3cPS3AWw( zQe^Rt7h|WV*S|bkQ?#1za{BG9*GI%p(Wu^)UiLPy(K%)}*hb?SwCVR}G?%apI+8ZZ zm4ZA?USjV)no?un@Ix>l-+pK-yM{9@J^eR9+7tro0ehYav7k$K{_f42bs0s&TO=&Q zXQA;RKZTGmo$lA5cl>zwJO$nxcCc1WQfEfT$# zt-DT36hCTscm4Rvj}swXwCb*##{~VxgJm+&U-gZRSZI zTQn!$4xO9NjW%-cwP)j@nJ@NNtOYNI=T#o3jCmb=cq)rnqBJKQSH4!ev8!ZM7}?m^ zc&AzKzFya9n@NbqL6>X{=gW3FXQ&n8L?r2pua87Zm6T9+?JAIWbaE2Ebg5{>FW{Kt z4&vx}84JapL0yvw6 zxlci9xj~VA3WA?Q@R<9^pK9`y2^wXM;65Hi-=^wl`D}a*-7lqTrhd2&(Ntv!jl>fST}aT zM-~>~g(WCJY}L=%O+076ptrZ4b9=7OtN>O`BCKxI@|bu-!qJH5Ie5@#Yc|OaU+A-t zQ{R(e5W$~ba>09ChSnKRckW2M&3@?o2Pvm1Sm?d%?3#p)Y}1;$*GKZ6j8;b(B;?!l zF2OHR$m1adAJR}-W~p`ahl|s3UiNIGu;wQEHGoj_ULs|{KA$ok!|(wQt89&KlL$!5 z)|hX;tV#1uY=T;mp57u7y7Q*neQp|D zDs%cIE_~dPrJ_rHtF)Koh@i#2tV66WWCB4*#wZBBOBW8MVjm z+hC!_P}Wo9GK-COYCKtnIq5y_ol_zMh4?R4L1FETm5!91qTpkH?qn4OH-mx0)SAT5 zD}mY>`Xa{VFrRY?KAyHhbc4H?k6_MlF4Gy+AZQ3U;9V}`ufS^y{9 z3q5t$pObH^2)n)b;zaN*v=1Iu+{wv_73_F4K%fvspff>4sq^f^5V=DNl55T40UW%A z#7b)T`}ePT5lavxJi(d}ai-B%?3j4)n(yum6Ko|!LDG<$NtSU%2SKMrCo<^77H~MI5=vbcOT8(p#7d+@e5{m{1saW} zZZ0aa0p>p}Vcj*G6h92P0GvkzfgpjiWd;~rG;e$#6BDB%TJoqXSsl02S?Nm#2mSM^2at&Af z#fLXr&Mkp+Z&OLk)ZKA{moVzOI1qG9Y86Ie)0NyFreiDx$RASpWxprzYs}ijXKVe; zxpOK$9>&JQHQ-=%yr}hs{=C#wYk;fpVIfDx(I>Xn|stlG8Cx7R?{pVUSS1N-^s`hzUgxzCE+aswli0 zeWfWvEGs>oHmin-O3m#2dY2c#9NXxZ2xCu(SY6kq5twSREUEX|yR!Om{lB0f#oKlaL21^9}z%|9de5l`81)%=B@Sw^GCl?Wg z2e8o!7ji2=tqqs-r0HZqNhayH43jc;?KcNYhLl?t=Q)>hB3ROFb)upEm{arjm;2oy z`pNrjC3Iypp!s#3eQHrb{zLv%sno_Tr+V|8M>4-Sf;GAN@H!eWCGO7Bf2o z6x2!AU4insTY98;JUCj;%hk8p&cGEm!UW)hpdW-%iFL!m!2u4_u2903e<;4Pl&h^J zs%R$H8u|q6n4Pt?sNTTs)S#R2IUE z5G`<0U=s{W#g>{KUjaw`Di9tP=Cj%$T((qdlUnM}%_&bFfzp+p->Dic?P9I2uI|a| z51fm>eiXgBz@~RGbS6CWXF!mMUp=6m=cnFjECK5oJKB%Ajdx!uL? zf6Qh|S)Jr%1V3&}pP#&Duo7f}i-SKC>w zAX4P!u0rvC3t7-4T6X{b{Y1=rK|k0Y#KDg?L*ZRZM<6dk!E2r>pQJXNYuw_ z4~TYaLVzN>)Rl}JY7a7Pqg_cr4#JUfg(vebDZUU>rO`C9$J*4F!XL>gQ+)Ovi4DLT zIM;9>n50U7fB#Mh)fXOIo%;~Qc%v~;gfd~yUPyUPhjZ4FeeYgaw@M}?23)XRNM*7_ z*|q!_+6pVb`v?FA+40xn(r!zJ^ZnvDStlBKMF34UmBXc8>ybc}0$%PO@4=bix9*;+ zG?_!Q2hXLZa`0Zcuiax@6&)5E8y#wpcMUam=$Hf|^!0|2-Gkbrt#W`E_q&c)Q!7J{2mj3vhw%A)0rHIzI=gLr+jiB1U(GEIh{;H4+t}8ygw;L2GY$mECN*FCnE0v)%0~ZTEeH( z+Gq6HF7{T*@z?O`+J-6-Di|iC6)W9sS2R=z@L5pNzt5YwZ!acjYd9`JNV@hA;t1|n zOH~r-H%-1i{)14%QejuI$MpDH-6H!IVF4d9y)3UoKmaFVv^JSqx~0SbpeEok@fHFk z9%2k&sWra9U|0ls=b1JjyI^Yu0XG7oyPcZz71s&A^X}a{7%qW9C(ZI5yrOQ+v2Z3S zrlZ(lyfsz^?6xK4a*6xO7}TS-ke*ti5n^Y~lt68(QP0F=umfa3dxKEr%5CPla42UDFwr-Ijut#_{|vhajyU7DXaB2LujnKU1L5}s9Fh+#6b$>ksOT_2 zGNquSF4V=M-kOYCcz_}P9K5bj>}492UGaMp9WCQcUWWH*D2AB`0amAyx`fZS>SSzX zF{BssJ2gxkr(@kVmxibvDq?o+pKn0gX0kpo5;23q1^70zwz+*9%>6EKjoHlN07G8` zCbzr0TMfCr4)`$6d$j@RC79Hm=qrn8^VY){Ek}?s>U7eB?7ZnlFo1_*GH7shJI0MY6$DA-35Qg^s`>&5l3H3I zPlget_Enfkx^9u{UG%kU*Gv<>AF}(VPNlv49#3CS0{RDP0$I2fWKXY+ZXN962;{@5 zsVQdYhiU8QK5Bsd)!5z`{^RBKF@RW=z$MhdJfKHa(7l8YPmE$^c z>0|-V695F@-$RhPnXKTCH-fVw7Em0iNzW!i;+p_;$gGQ)MdL2^LtV5=1vZF-P-a&E zi=&Ab#Y9Kjms$ZW1y0BZlql4y!P0Zd0CJK<+p!o1WW2F%$mZaFdAYeA6q(J8TNFr) zq7~~My(SpBjcmO<3ua=~#2j=47^)U^c^3B53#YDAMeQ70)E29 z$;r4a$=VI%Lv@n4q`_udG~_C?`r|}kV4%(LDAOB8s{RBx(+b4Eg(o9b%;IF6m<&h~ zpm=j*qdpeB{Zcrt50XBUsRyFfAjhm0fPjvk-Vp^!03y;ZbC;n?frt-Il{J;w30uyx zp!=?Yh_COt-PLeYBtXE!wj}^ebG|pir__D)GbP@Sdth;}vZZwqOweX=$98k*{vvvZ zZ4!DT%_J7m1T!Kksyz~4s2~j!u?+NC=>TqH_tEF-2{+}yIyq#{F@L4-_Y7Q&=3wF{ zVfEf{^bxw0YnBLowUn?^+V9QVw{PQ3vQ?-8_jRM1pP0k$owo?}N&$ z$7thU??$7_>nOZJq2Sgfj+3uuvnp~oB7U}r9^mgIY(fdKl-3YwVrOo*YP92%OOb{J ztAQkomhAICnfwv2^X-7A{NsN1U04W;u9kndm+lS}9AT~|%asTg4(7jC4-}3t|7H1O z@BiA1+H3IS=O^6H54Qb$bN#Q*4-5Bm5y_u_cu~Fg@y|D(x&Q8CRsY>@x^BAb^3PAy z+5W!Pl>H|G%w zSRUYo!1ulL9$ktIi|qdF5%~3P)T`F3`ZsUh1epiC5~^=PIh$5#STGiNFia~9nvkE8 zcC%!+G}!j%nlq(*4|v}hH|y%&D{g8nJ21iXLbQDB0$%PiK%g2SxAQ( zmJh;86*h6+scA|i(CuvD@{zs+M_#_J3pyIW-PjZH<>uwbEKd(G;`g%r;l~XFER{#t zcNHg_zeWFQTMFE9S8lS^_}7#G2@_C9x;}!tT}|$Pxw^K7KTu><)xd(!8jF3!zRKRg zB>}}16ia>W-RG}2Jj(Uxoa&L^X#jloWt)NYo;2m1t*k5`zwK#bsp8Dg7H(|*VSB$X zdB^llTjJ4!R~nm}yP%-cfC}wFeSw3Z^_?M&v&r&?SP9}ObR|d zy3`NEn|~a8_7HTB)VH+0e474+rLBs2F>4s7;;icXJEzth*N!@CfT$5|jGhw`vR&8M z$&#J$`^Ozm`Sdds-v7vE?9MLe$U50`Z6^!VR#m}|$1C(Sn+}TaqtCPT>BAZY>0D(M zf(Z#yu)6ShQ+(Y{b&t0@SfKKJ%GZhzy>&-S=hr?@Sef(BcK@|D*}l1#eotmKwq|+C z7XyyGP<$Sf znA;z}vfP4^vfLN^V=sKh0;`_wyU+jW)`SErs4tnz0I&ZZ`rFnkbDs8~rPQm*Qoiet z>ulq+LXaC|V1o>tE@1y)vAC&gAex6agZOIhR+!qVL=f1MUlE_B!+PopG&R z7LRE2SlhA%ybuCW1f;4#5r)0ZYq3Iy&9qJiX2jC99~R{4BK~!e<$(hSfO!>^bFA9I zdS6THuJyaxko*LLCMx)QlWJ09JW{93j~=u z<|T<<4PL}b#ANLm;W%frqIdSVJD#Wf-h{<=TZO20Cf!v#6`E3$nwt75Fc5d_iAC>r zsl}s5&5`2MneA@S$T;mY73(@M`#n_cywpd~U7P}%#fu^!rsn>*y3}Rf+PH#*^CU^- z;xZTAGSX9HsH1~>xYTZCWz+jjkusPz3RaF<1U$Ud+)TnN1D-71O0&lIXSjkfPk?<- zc?i8!r@7fA*P$#Md;6ua8-elYx!K!lYRYn9zcsAi2d9=XXHppWBCcV^M~E909L~_^ z1uBi;z8wSvn21TCH^ZKqR421IdrhbOq(9S^KV;QIS?tS&y^wo|V+~!2Need2lU@(Tfn&B__pG~cKY>{JP zyq2Vh6~bzC^5&#mjfvg`%(pYXswE5}sTbPA6TkHudbNb-wTI=MikN-q@}K|E^dW_xo)~6!DPTPUw}j} z9u?!jwYFB0I|6a?(;z=!XWv_N!1m>W%}$o5a^HS~_=6q*mQo&g-S1nif_|KQGJf2r z)S`|le1I-Ruf0*|yLYhn2KfV?J7%^x=CI;hu~^0;@udKjYX1YW4Gt?EYVk-Kymak7K9*WTa9Tv%_eWiIcfy?2t(I~NUZEyig28@n|m3^vIq`T zzDNN}e{N&Xl`nq^bH#{Ts*e2t4a(=S&oh+>&|2?ohPW^yEH>Yn4&U$1GC}&aL4$p= zDO^~)k{T;cJ^}d{@`={QVX@F z@JGK3bBpSod0z#b7A`_#;9PhH+)+N)NxwV)J2b9W=U&f>E4LO35&qf)h-@tA)!eV< z&$;#UZQp83WazC~0RO4H5P!u^ANrDD*AH`a^QKyq)i9htn_i$uov07uz2eV(RwwhA z!Yxz`Ki#c#9l_Jss9YZP{(ToT9cJ}9i=_XM0m<87Nf7iy`^6vDz0L@Z1cgC&supzl zrQpBmc%Moo96wH;u^>kp7AH4Eur z7z1ApTd?gZ*JJFbVx$*4zo>-!a}OV-X#4tew93vmzuS5Ce)5x9^N6pBiLbq#9yPRT zs>u|LUgJPRq0TYKm+rDJeqpsFO^6&SF%71Szd#z7x7n&v!j{BY2Q9iiWmu z0d&eJt3ak29p{C$r}#%8q$} z)JlFW%hIAXM$eOlw7ppAKnyV`F`G2K%QgSxdH@7iIhpl-?&^u#p=xs5U0w`NB6x{* zy6)S!xZyk<9CVC8kor}7QQvLY$MXE4vgK#&pmW)D)Be=<&>c;3S2;{2+L7;ACQ>UOsZ`_Uzhk+r4c}(WV+!zQU8FU*@{lRAYjkeI5Za zVFfmo@be{8sW!X0_`M%RoJd>LwCkSJ663;n^aa)^uti_7*DrtU04nXRjd`~<-W@DY zE3Pu-pXPGAA#@7!hX~URJQE(3X{}{M%s(G;?P`Y>eD}d#6DOb9J?-!Ji(9nbl2yF4 zX(EJw8FYzXfTb$Vj02n;UdR6-V)y*bl;3h^WBPzubJ@eXa+$B`O0d7?4NQ;tFTec{ zul>(?lzmKS0I#?I5d40B7epsvg`W!4zj%AXbsY=cAf43vR^Na8&O@7emdkHJaa^KI z2OpL?E+S&5#JW&Gn&c{?oBn7Mq%L9!!JOpQkj+@>W9_DJMXa>jz@qs34A6*GNG{Zh zz+$Q@%N8^D+qBfFz&l){~?Mg2cNEphb4+4+@NjKAv16bZbF* zrJLt@m+jMC{1pHX?i*n`YpbiSL_cWZE_Rpol2^ugM0Lpt!THTysC&o^>w#|p#|(RR zLY}w$YbKg%vSED?=!U7u!yu(V1-s`>bSsCQ4QnqZ-!6r`0pNC}J0@!%ve2$~^Zm6X z=!!a$b~;y-TE=+PLC!~C*|D`)G;9oNH0TLx{p;Q=ee>!1CDz@ITIO=ED)eRfaa)(u znEO!W#$43R7)UM@mKd3pJs$o+BNV-15XB|@wa*Vmr@xwC`!3(uj0XenwF zm?wtbKm9U-nW*=(#<)+-S{g6o*`-~U?tf7Z+aH3=DK0Kv`4*&x9ABRjiAqXLJa1g? zKEZo};4?jxkr^EmLmOnrwZurR6&j$<^;1S_xUR@1kM5c_%4X))IC&qcp<}<0j)})c zL>|_*yR;i1gw#TIjfRHiAu)Z~)t0v??1pQDSBMO~xDq?#1+F|bG2snC$ui!Lzf$naKt2u&zO4+u~&*kE*t9_MQ zT|U8!u$47$J5#?Y=ZcM@LL+sd#4?`xn5JY9>pIe~lNoo8rhS#Ify|% z&`2bnlUkVlq=t(}GJ24MOq}5|H)u8TawnIKXI}+rDB67^ayo90AkF3n)|j8}Xr@;C z>L5;rQNAQsMg*BEJI{IV%}C3nJ8`*-0iGMkEQnJV{hq*mjNEEm;_qxvgh!)pm)|!u z93&Q_L8yludAbuIjJV^(4;>S9!9);b{hg{upR8Y0>XrJay7_fM?JIhZ;2{Xmz62Zyspo}&P^n1mHTDr{AK^^) zsuII&G{G5qe6)1GXok6-Y)Pvk{aUX+sZSon}*(oFmO?HWh0)aD1} zlrZ_&O)ECj)r%@o;Mfb$^-jVn-4x9;5?eP)x1g(A3lA)flB;@G~Zi_!_<2EYynsD5J)=UM@}Af7^`fKlc0vC#4pT=JRV-C+Rchyrn7=X z#HiHOsyEZ9)8ej|z!25fL4c{W2CO{qaz87i9#amQxekFRaDYHK#=Uw#!Uh?=qGyKt zsLA>zDXBMAYra6oIIw?SrhtDio?cnR?OW$9JPHOQrXl60syY2(v*?K17`v-Y+hk2_5saECfQ#Z6mdt zDT=2OE06%B($mv#1RfHqWX_h~rAr+|HDp>Ij`y-{TZUH=K-N=e7bq<3D;9gu^&8Z! zw5)oJB)Vll!l=|`wlfO{(nQeUkP`;K!D=nc?Bl&+n+&O^XlbYpzBlfV5_6-3MKF~& zUwDjDwKE1*gpb8T@PfkB4NW|&mD*Kc&NLu%227;I#q*T1_%rbNaZshO zebSs(1@yW$jU)D@jAKoxZfu_vYWLa=6nbD5sDgfx;+Dbu5?d=u0yrGVx@4)%c}%B+ zOl0gc*$pbY^_lL6fRGt(+YF&r+NJ@@ZEo<4!y_vSg)%t)37!hK9brwQVq(18QDTh^t+%~tOlT?Ec*Xrm1qa)Y7K%CV{8HDopU6Jg@gyu`AWF_^h_w?>L7G*O zXrv7lmQ7J+f>My^%VpyJ_M#vbD7(tjXU4yjEdnYmaBUf=+}^Tx*)S^K z#ax8X^1_wfpcKFOa6hvaheJ7Fg1u=vD7+ftqSM%?yTGVc=(Bw?PYZ_{k#BY44fu=m zT-OHNj z>NCvU!Xm!X2h5X6At#x^?h zFu1j;>0D%?q1iOa9s;;YD?PX7cLIGCroI)4kpm+bSXy=!^aHe3VB3FbrHPBBDx~RW zh?)i>;q3N9Gd|zOuyX<2N53GTCih%_sZ`{n6T7q0=3fg?!; z)-zcXT& zI5>t(mHi0NA8ldYDlZ{HQQmc@dZ43HT`ks45L`HhFmP~g6$pT9p8@zBCtPW0IMZl5r6sIJp9tH|+ z44}@2cZDR59W2Yf%(Bi)RejX;tldknblQd(X2_MnJg6vFb0wCPDYJC8LczY;wKpgB zgVe?Gj@M9`BJ6tdlan9My-xvN(*(2OlGGZ@+`aJ^ug`=g9XNEzpF6X7?p0icXE4B` zHVj7#4u|}>v;#D8qEa|GkSRtP5)v^eumv?T_4OtoZ!#Q|M{QxFEA@6yU^%Uw+bT$e zGJy9$5}|?a0%rlZX9djE6}!Q03D=_NlA?WFD?`Q)+(`D<8WI*=?EzjgVMDthbNTsX zT)a^WUV?rwPbOenUtjkRItr2EE}2Y~Xp3dsTNi;$4)}%TfiSa#tf&S66Me;|6qLsu=PsPo=I>J{oY#{w zt$WSTTPiWDeYI=XE<8WdwAzngv|9H1#3eYLLjhb1g{p#?{!)rBRI&HLH7x_=c@>i3 zc?u-{Az{@I6>`?Rq0>R5rLw<=q{3>B&qd zL)@!~q+X$^p+To5A#vND_GUOhi*o?H`FwT)lfyh$FncEdrJR9J=|14L&Weh{@lBTo z&13rkQt~N$KoIefg|KUP(!FEf0MQ4>bKjw|zS|EzBifAly&Up#M#8fcta~$KKcHlQ z9|7ColW|Ko!P1Qjc00gx0$}6kyHfH3u|}g*!Z)Lm>({P*1MG&ejeiKKBUpZF2DqIt zbfM)-V!4}2#Cap2LT(1Ue*gY`%tFlfL~?U;^NyXYmr?Dq;ACb~-|f`cS*o}!f!}}? zmPr`Ct*l%Mob$Q+G}l*EC^R*?KFFYJA8qNp4|i3U#KJ3FkWcWYonm*t;YBofr`0-7jn^+nXYRu7xPoCLgZIw zgd&VIR;@qtL$dHmYpM+dm^+b(!gVsf)A5-c8Ur^X4Bv-`hxe(%pk~GbAsxy>PG00M zhk-PQh=(jX*_s_8_`$}~HmeDsjL%t5*lcCAP?&k9A!ItnO|@m)IvDLW-?>yLLav1H z(wX{oduxz+G)+2Z^9C#)n4lDhc)3s*vTDyCtxYW|-lap8>j=wa3PcrPf;qUX-5Wn@ zDsSG;G^7NV5sN9|(QfPEL>E@Km3;}rN5kH|bA(pM6;!)-7e1lTE6%9I4Hyo}v_%zR z0L%jBmIi32tc~OnjA2Btg+LG`)m6F?Do8%lI==!zwU0?q9jY-tdIeC<4q*;*tpoN& ztr`22Sn+hGmojc*NE;YACRJpW6yF2qk{Y$n!okqh$WOTP%|@G-Ut)?R1f8m3pXHz# z05ItNut!H#sB$k3L)#XBGhuW6d6qCKIE)f`xR1|m=&k$4+W-N*>?hYiiw@T43B>Dy zUY-CMzY|Jxvosqx7PDN(C|ilZZcV}yRd^JBG&Yt3Lnu~3>sXZkDCTz$5+5(BnE3_s zkT^NOs^Ow~TO&yR!S-j^J#ajweC}16s{G^xoSd?7{_&%=HSUr}V|IkUh;e@Lx@i%8 zwC9^8=Tc9C!Ny!S9Ll1TABKdGaW59*o*?YMku-F5C0!c3VBN#w7G$kD5}}t0^ICYs zF%}t*^IjiSVvW1BOs3Z(Ddf;Hhgl%;+y>G0yRa1_(88fYt>HE)0)2&|Ay53CZ8gcc z4+*MAoR#5NC674v@a9-{M%-mxGsMz}DBu8t1m^j$kUGr!(9paDO`qwCXgM1uT7Z?) z_mm4~h8Wnhcip)C0WR~ycAE?RWvd4v;m4XmU43T$BG5HbEAFx@gbrRId`48!+3}Sy z9VP>pHC&-8OaGqB&sNsJH`w?(QhXm*&Fi0)YQpP!R+j7}-M=0R^Yqq#qJ(>(gVD%i zb9JZJQwgw-eaw~^y#Dxaxnkxw{xdoKpYHwN(arz$E&ig3uip2^N|$SVQ5N(A0u@$l zeWoS^PLR+~TS9F1oM{h;qx6ak1Tkimqy&LgJ|79;tP0n!6=CASBv4&f%w6WXN+5>2 zI!<7Q$!gG@b6d%Wje0oDm-m4FOyJ>bh=O@ct;n)dcx-G1;6^xHFGp*uft;wOs!Gpk zm8E?d4dfAncd#Hx73N$f6&%zZ&L2`yR^BTZBReyZ6d*6R5N3)P_8za4*n|@`OTeJR zX{I>utp*ulr8pd{T;_qav9MoFZsq$M;f~JEfC}035)u*)ac~GrP%+@7kdPdC**BmF zDeLeA5CQ|LSpSMk3ty3g@3kdF{N89wEJoR69ocNmh94UO0x?96qU$-no=aVa&d8OY zoe?@@D({}G)~Gj9pFVzk0KGFP52$O47nmn`$+95oRsZghq3^J86gV#?ca)D zp4hL}N^xwhfDB+J(=D+@-Ml=ahPt`i z?c@+m3ND9`mH_TCTX#^ z2zt3{@|zQG#?DX-P?iwel24gfHM zeozQ+H>PFErq7yMSy{<>ZFrM&0suQIutAt)_8Kz=@FwY$#kVK{mv!}&GbwQ5kl<0m zr#tcj^myi8p?D*CYDT2Ch?R|i()I>GG$i06u!jAMC#JVl0 zkO@aAJ)*`dab-(;1ZCG}6iI_#I5;^}41_X-U?5{$mO4D(31nP?&eFM>A0(l_lXA)1H2c{zx2aJkh_z3eD{2OS#1dgL~=I2p<+;m5h2?!trJSRS3kz|s) zEFE0yIzkp?1~z)|$h6ZY=fCY(*ulK=)`kCVH2y!2nEx*X-T&<^lJE7vnWK*}w}-@> zw^Y(Q=;m_4j>2(e(sxQlCo)9m|AY_}%)EL*kB_l0O;;!d9!M0DFnC5aWgn3oabYP2 zQWAvC7tEl*e=w~abKY1t#_&rztH#pzvFD#O!rb+^Kw#ondz5(-tCbH{+~!rioX`Rl z{#(NPug>Rx8f2Uz^c9DfHkuw9EY32nmfyJv$|Y|xi+?T@2NyhTa`xo&Yf9f0*jC)V zHH|;y9rrGw)yp!D#F~jme9t?y*y=UE$m@AID2RT(@)WiH*gn|ZgG}kvs*u!ynD&c8 zV%Q5P71NE>FteQH{&!DsKge4x$W{t&=5QQu-gz7Kp&@r7{h)SSdrqrgq)o416tWe% zu^;a+b!6|wYH#ckOdKSQyrByCT$GCI#iFvPOQo}O4?|IOx98jnvDTjyJ#VS*)eEeq zb$_x6%{I{|k0|ctR6__tDg5-3s2S32uHmjtXn_U5H{=<*1m6e|K2^rFJ85na$W&( z@neKjhHWPbzhs|2b0{$2lsUBk;$29SA{z+ccw^hoY;H{wXehjnim`M;r>pUh%k6_2 zHi&rycH|9r^))SR!#;8PaB)bd0bh4=i@F+;GgwuX-CNw>=Wiu;0=0JE>vlpZ0Hn5FGaiM$)-M87(Xvh8ZoTg3{mE^2l z3}`Wunj$xzIrt8H1oy4G*ZW<8wO)&6NcqH{3kUOzG4tE|F%I{sHF(qkbCQa7N3l;b6$j+B|plT-dprK4iTz-?YN?Jco(0 z$cK47-C3I3?_Ve0)=Ub}k5y#5u`-eB66LRZ{)=)8w?g?$^zAkq?F`$#kLV2FGC%Ir z9xG4XJZ*phe0}m(^k>gmi=;}`=MxCWHqhq}X^X}RC_KiOm}t~0H=MD`2$7r%z#NCA z_WEn7ZGMp5+3=C9+con}X^Pf5$$Zv{wbBxt93(uckw6f4Qz61QOgzm3Z+1SU>{=N& z&@sw)@2}5uOg$yUsI(8-PSq(PZ^U?%%+5nsIa|9xIG%C*i}gHrPrx$P=IM9rk?y=K zHTSut9t{8CQ_UPAoUdJM2WLob^22F10Vf9dJ@GXO)KHxX zGWoK$pwv1FPY&=t{V&@vw!?e0AsYv$mjVzpJDe`T0-hLkN5H*DNFYNp(bIR6hejCB z3O?*&+er%@IB22z!FkmKp<~r1gdqfXBBR5iBg!5$ed<1XY^CQz2t2-KI%$DMGqJOx z%oB#Vn~WT_liXvwx_gJbaWi6RL+*^U&fH4L`5zNK1-(JXUi>h60<B%ufX>}_B6x~$>LtEuvCG=3LiF`^(g)4 zWayh2x*DqyD27ArH0qecw-;U3tak)lO&v_p_-~2|Z0zC!2FoksMxp|Y_MJxa0xN0j z_7RzM$L8ui@bE)}H~Iyt6*X#Uy-WEbQZ^P?m!>+QPK~sllyZ};tzG*|4e9OS3t=Wf zC6?RIZiAt2$|O$brt1uFqOIdg)wj>qDQ$$zG{3*{aO(AcH2MB6ogndCr5wK+Q8L8d zCg|r>TBksE=G32)=PEdp8peade0?g>V0=v;KDZjV3pjpl5Wh4@clItk)T4 zPJ-79zaz|i7u0M6kRyJ_zyA6^sc~2~lii1-a`_b~lTEBF54iTjm3?`q2#0Y7Iz7Ip zL&hlc)$gMlJr6L`48H;!q|5>jtHW-E!oU5(a@FGjb5QX5FO@#b5B~e=jjZiZUYs5P z6N2Z{gl%xM0B-=$q^bzCZB3qRRcdkAlPoMkOrjJ853zx7JdH1>iBQbteg(+QJiWV| zu@JM6%m2%AXpvRtS9k*fkSRkVYr7V*aM12WJN~?wnbir6gm+kn&bnOwUCa9m;mxyW zpgP+1&jkWaI_JfLc_KDWKaEcub6GkY8ca%^t@J{EA>Y=|b-oP* z7QBa$bsT_zt=-~Q!8z^B)AQ;q$cyksw+L19-S-a#m(}-rU4H4o9Kmrwg~keD}>qh-vI0kFLSv=4~PXYTnhX2 z^wi`j^y^x)F9JVO!;3Tc0|fJrr0Ak6gq;lDmKzrRARm4lY$YMMLO|ney|! z2j7LZy!3a>fM<(*%>D?q8`NR_(8-NGP$J14&#IR5AHK*W&ZR;7n4=k>4 zXMSTD5%hyyzF)f6Zi6_v16{mGH(i1H>vRCD>PJJoI#0`y7FJ&j^t*yKBt+%>l!2$o{Ws5hzJkQ`@nGQ^#0qdsfxkUR$nLL%e z;cETs^~S~Zz@^#&b)dWhbkN*Sb6&XI&QsZTx?szJxD4Q6;GMkMX$zr2a%%ltlNTTE z|B9(v+GixKv7tP8J|l3AKhVh>iL=>acezYA;FQwXc=zbswR;#DHh>y+8rRFdm>hbm zcTiECacOOO^Sy5dFkkL|YxZJ+9rNx4b>6Dmxxf~w2go4RqdUKR+h)zU&ASR12jKK3 zecP_6;CAQvX^m`$zCHRBR(&O%p@9XI5~G)<+qVDr^;qV_9DVbhJWIVQ1A`YR+iu$y z+NQTxIKlnTRA7NW4H()RYM0J;h}fpg_$_UhF~b2ra4v9+1-4&r*m|bgg7PPDk?%ZU zFoOX8tO`^xKw~u^R|A0yQL76$)O=&(SV zpxnUPd{mlYG+0KH!)P`b%?6{T;%IFE9Cx5+CE3kTp2PP|$n2`njxgN@xNA DgZb2$ diff --git a/docs/complianced_image/QEMU/picture/download_03.png b/docs/complianced_image/QEMU/picture/download_03.png deleted file mode 100644 index ce6e6e14fcf680cdffa6119fe3a198b0a445d5a0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 37858 zcmeEt_ghm-7p}*GM-V+Af&zj@igcw)w}jq%2}Nl^dJ9O6$e{}us&oNE?;S!B=~5zu z4k18jq1OZgfgAMuzWX=a=ehfro$P1tnYG?oGqcva)`V-SD^OE1QeL`riCRe!sD0_u z^$(XWU48!dW%3hng+3kmcE$ablJ4Js|2;jgF-QJ;-$TyOL&w?1!|Sb^^(C;Av!gYi zyQQ18wUfK8v&Z(8R+&qe9$r!czSMo6wt@E7onA>_Aqj}SdKnE@{V-O1W4a<&M6>Fz zEl~@xPs|buY4>ybiO~zvoXU0o-k7ApO3tZWj?z(F3lqJ;_5f=%{mXt+da8`S1PJiwvyG|ne8 zNt4tw!I%EqM2knF(O>Dw$;av2ew@2i@;OSUJELU*BD?KgE&J)8K7G=gT|zzC|F48c zCPsGGJZx;1sRWudO-%dPZM@i_r}N}T1n4<|XVzMT=PRmi zrV6Y9F?#7#t4tGlwL9cQYd~pTzkf8iZOi!b$Q9j02;En_XQuOAy;9>3TBjLY(~QpA=|q96@H+*tBB%NXJnr zhO_V2-bW)zzk`a*Gz9#0g9DR|OedgC%Q*>aNa#6g>`&|8jFG{7_U)R&;}eqAK%O<# z`q2-(@!*wi1NUG@%(`t!zga!xVB~B?-NeXaC(-nJhQKPZ2qYS7gt*nzq<|H##)v*e zPaHf*Od7~C$nf4rrCZmX3UuMOAtOc6($-Y^C2u>1Rru1W8x@mka09T(sAPiFnVY}S z&XLagp4j!@qx$AP&I@fXYLK)9wx>-FN4oD#ga;N?Ze~S~aVM;3<~YuE?Z=V(802J- zf5c;0c(t26^eW2Ap4+p0fL@&YUUwX)Muv>Pk4W%y{hMD=+f#=Js8PxoY)@4NtSBzo zXc~gBx62qz1fMUb?{GJ|s#rO;a{6whN7^@-+q^Sm z{?S)3$SlJr@uphdfq2jLwuqoP-lO%n%QVPT3s`US_mM2h_h9a)v#(f$FZ z*45`@=YIa_S*;}}5n+mnS-Hk2=wiYs90?HIlh@f~0sufPr@Q;tz!`SyXCnbhKp-1! ztVNY~_YU{|-eEZl^cg=(oeU35$%t;VjEzn^Ue8HZ#?6%&Q`cDhiYb!Z`;D8wA$tgj zZD}S;N;zr>P0E3)3U?-qHm(tgzs_p6DulYDkLX@v)cCa1n57{Hickj!2R=39?5m-# zvfkt1N!&aNl1Ee74en%CDYF(%=k)1yve7dgK9A0L&PuO@adTEfZ!I{;sanvOk5}ZN zA7cSVa7>ZddL=t8qck>LPfz}qNHa|MVe<4%5fMG(gePnZlGx`&eCOofe9d2{OlC%* zyQhpSA34N8G#i_(@%24N3GNE!2k!uF4f09WJU}*KzthzUuTs?rD<`3mQC)kH?9UUn zt=LtjD+cWQE!$rDpCED(Ji-~Tk?DVLz0V&kM%mF-d@dtQ!0s?u0s!2bK^h~gdm`NT z_n9RRy1pB~t|gmz{`h;T3O`3Dr&5c9Z|!j)BUom7Do=a#YgylwLPeq}VRTfN!HS12 z!tj^xUeA!b0f$b^iXt)5*M6;#N|+L6Sbly46TAN7x3)q_OWZ&ejSx$DHbwVf5m5U|Lz=tajt0Tnv}B7T}a93Ls@fk zck^=;X@Gn%kAFB3P_F&hlt|_n6@iUg4;)W>8(ftzyQ_U76|cw6Dm%&} zIzGOlY=Z3P<0578!Zow(&aFL(^!%4JA zi-&&A`gbbdO6gk)#TGIA=69Lay_hT0RnBC$Q2RyeYj=3QKIUPO;#(pvMMO|W$?qqW z`LV-f&NI*Vq4SXZ`ls+-+gTf!StX*`v82%_k$%(+IzAG2T{5 zQ&3{rjyG{7lpkwQ#^Hu8K3QA)`7s(y*tDMlOW!ZbFKgh`Su8~#F8g6%q!YY|^r3Q@ zomaEBZ=+RW%KA?LCt=&(&Sy!rwp3NGdM;{b66WhM_Y>0o>a#ai&seWX%AU}0b5cEg>=YrgAikwMWUUxKJH;#*~ljY4DC6X9!9U$K+9 z{!s$>LT*n32P0n{%h-~E2awZ6_)3N}3vX!w7n2MzE-8a7*=ivK1Y|3!>`IgM@i=es z_a(62rXTqNNsjfALe*`052tNQ5*^4=RdshotgmhN(N3B<@>7Z9x2NlzF=sh4QKj#x z9X}oWoLE{XNYa|?IuwnB*LjJas7*c%4_~CWBCz@wlx*H#=PJmbY$h#FeYW@>t6!eG zJ)vVzuv)n_U01f75TKUeO%QEZz&#i!$*<>eeGyn{*wj3$7gCR1d2q`apONBQhXz$i zj<36h9G@9!Pk14S5HWoLP?w ze+6XQ&uAoGn0<@C+6i9rW2XotgctUuL)W;KXjt{K@ah@PX-{y(kK~YTt~2 zg`w-zgpGQhWl1l5dZ5bwxfq^L4`O55^22LwwW9QMDWKw}aAFvjoSwd(sOMe}tW-;` zbg(JUqoCSm^ty(c8sF^ux$l9T8SfVm7?RTh7DGZ~I1AtJXGdK9e$TYA0Q#6yoA8V$m z#k{`#z>EY~*bTJ2u0=k0f z>I5+*mVl%ARD1s4W`EQy;=LQiU@pFN|E{B4O~YC5iX_yhd}+wHuAeGdkSd~v^8Pv` z?LByICbe7oC5@7Cg!r=f8UA}`U>rC^PIq!@$udrlSxUUYZLaDaDtA(Qh)K+8rurQ! zB9FKH)hE&WH{^5~)pC34!&H4@q!H$ivY!NExnuccj(N#i#1kBbg|Ry$#HUuL5v*+katcp)}9I zo~!K2++~?pkImN}-cW^Mx71sga(ZQc}`BFhz$(qh~b17HWKHG%DQ6Od#E_qS8h0>lzv# z8n9P_@eySU^ZY$)5=Q^;ty%&7M}4vok+Fk zhPrm5n2Jk(6*Ol>EPU?v;nJ@)X{X&xwm0JCpp06xnflsO>PK|up|!koBO1>t?cryo zy=?Kl|CDk+gR(@PCbCnPG3p0rY>)fEa>V6O4Q@&RDU^OJ$8h%Od+%&TrNwq{N8hP7 z()|XXd$3;Qzptv2qPQycvX!J|$LS`_aT1>L1dpgJLTBxC7 z)}vfyYO49JbZp6|7IaLJ(R zPO_VhfZP><?4fo)szhlG|YSP)pb!C;6w5otP z>Jk%XRMXQ-2-}#dS#KrPo#V;NuR3t6X@AfZ;mLmMg!LQ?HE9hXH4|n*72`Z5*n`6p z3&`EZV)t*Ujs z-2_1P&#@=VD_&WOY>VR6+h7I*hut+RCoaA|Y99)IwTQ4!=FRW7Cb-fEiw6?sHQAOW z4>wf6D|c_yueT8yO9*o78uDFowNmfryf=UF$iJe|dS}y^kPJ!U5Um}HtrjD@04*&J z8)1i&fji&ww@=Rc5&(k9c2bR#qv4&4Pgd7!pZoK859-u~4X*3@>5a3F% zO^oEkXTxCWS!kDiY0(p&xR09WJVgPAE5%`9{Y?(f4yBU5^pm!7dFUvO=0`n+y18`= z8=|c;~BbP!$ zG(yU*Du|4BcEV1-5?1TUFi8-WF=@U!!*%gv!Xx8))OF3x5dzeSq{xcweqXz_qK>!z z_?b~9rPh_*L1}xOryZ8mY_`AkGh${z@to&z6|^R=l`%CVAB9PkTTX9S6c~{Tze$Wa zTa8i7{LNl`9~P`*!t2s^NOjLL{~crAa5Q+=Top9)6}4!?*}TCEQ@_%OPSo(QheW!3PVdj3K8K?Q=PT!@nE;EY_bMwZfoyb?(kB~LIyyQy z9FC_n+^pbg_tE!VY|imACm+EP`I8Rjaaili;xM7Z%)}JcbL7&hp`+jMSO>_aVqo+S z6aI*!%%|D1;jZ2^+3g{f{#16ft%vH$hbqVw@#sW``6xi-woXU3@Y~X7&AydD|FWg;Sc0Px18lcqsG`S>pv*UekxTsuV}+J7Sa-64n}!DB8mwQ_e;1IY$tx))w#$>nlbTA3Ffm=K^`PnHEq$VS z)YQ^DvhO~?p%5)etnxCjzf;FZz~8q2S?HB72Nc{EG-Scl@R8xvn5O)7=!Yw~p*Z#$Xp&?C&8vBzZvaJDv<#WQWcE5@PBu^J|S5qb^yP`VP zIhw&ug%Q%7S+hb)$0v*BU_(l7h!Fs=He4u}P=-OwNy6e=HM!nPu?&NMZ>QzOyJ5Ls zi;D}laNVthIsW$2>#c-u4XW&qGQEUxUw6vAblD8R0XrGPzN}L@h~BAhJWBUpI8Rk8 zy&;R92D_Iv11&vIPtx{2Og&oU9h%hF7pIH%PbSn z7STn($9P%%%pw(liP2nevsT zpwTQ%a?HQ0({MPdAuEADbs1)F2gk4slnBW}>(w98V3KpXDLAaVr;H)5`P0R5T%xkj zazQ%A{S2u9sk#7-cC6*tW3DcDw+`3U_i6)i0tP%li$|FI-MvMETevm8Qt!PbG$l>= zwdUxY3=v)^Jq>L4OsIYNa%b|HH)pQX1XVMjZNB0o@d~0!gz^5mgpVJvOToF3TII`z zETposA6L?-XgK`9 zfA2<=PiQwKonTd(s2&f`nq7wMKa{~;#8Cf=%UWS!%7FG+#Zi>(n2kN%BQhD$P_FoV z^t9=(IC9LiO-0?y6WP_%V8>L0>J2f9v*di_c$&AH`B+FDp^OwmFX1em{E@+l28Eu^S6 zD?3NYl29E;RV0mK%*NGshg|oZf_iCrtelmUWU(_>{<8u6M%E`;aK36 z>lXo)FJa3I<6qa%;4M=2tO_58Yv(v4?aL{tJFr8$jA_o^;SXUkrFJ{Cxd@T0u z*PA4DOMOHBM&{Cyg(l{tg9_65Y(w)#<<&>>e@5k!Io-T_cl7f3X2Aq$5fx!*TYWxKVF@00 z_FmFnPZD#O_zZ&$p-}E8n{|0`xM{P5X}pJn11}%nCVtx4+@HvssdwYnA2lw02P>B7 zhqm*qOk=UwaJgT0HO6r5l0*K?+5ej+Sn1Gae@@@ie{nUk|C?}_BlL1#Sxp6A zqW({F<`OESA6jbumwK2}3H@I>;Xkijy0okk*^SMFF#Y#IYv_}<|0WR(8Ls~N&+`wE zm;Y<`|3Cf%%KyjYKgRL@u0h~3Ay+P4`o5x_uOP!5ze})Qi0Fy$$P?=ZLsL#%Jre^vqlB zY^mJu`O|%IJtDJ4L>9QVp8{E=ktw&pBnDNXvzyd@{1aNkkN!Q+{5*e8xY!O(>w|84 zl}v1rQYMxQwSwb&ci(M^I=Q}5#`O1E>t}N@lV8Nz=PhAj$+xR;?tZufaha-j#|PrL z_{9TnyJfp~l*dWq?DS2C(tkej{PW2#4DvKSO$Mn5lTq=T?QS5yYer-?|01Ko4oBW# zqH{aW?+EZJLJ0FnE!sIhW%6JTHgCI<}-bZt&4>R?^wor>~3E*8vS)XN@f?iZt3oJ%=8Jc4}si(i@vRzExFQ zp0(ap`WO&k5LEF^6J%R?GVU>JXYBoW^8yE_TLO=+Ub>{zb)FP9V@s537K6zk&!i0O zEbVOg4s^A}qpdFF)a#w*!L5NtGL6X1G~jd%L5@xiJd=$^rRMnhjcEBe1aixPr*)|g zaRbC^>n!GY7iPP&7tE5^PAo?qhYif8G{TH^>=6N=!MvHSgeM893HP&gBf@|P-bOKM zCj@T)X-|>Er^-cGE#9`5(OBxu_QtIwkcKd>29%RJJsmG6Hr4S+VTB8-g%T*1-{gZ9 z+ix?F<#$2-f%@p*Fy3?-Bu|IyKF(cA<}QPhiqrRyPxa?{@4Pk>qEemT)}2N#=jsfl zZ}O*dIop5|hOF$wl9@wI65ZTq-N4Ysk*U}{H^+sQba@@ek^zS;TZbVCYoRg?^Kv|+ zTBg&9zFdhePfltA03d_Z)V-Mr3Cb<0edfKCTcZ}fb69SB7^3YM9kwC-&bind0GM|% zbW;s++w|%06(LZO1+9McIx)DcJUb3i80$tcFE=Pf}|$+GX` zj+)WP1~aoqKO8y#mv5Ysxpw|2ed4`-wdlY}M%tlA;K<3ZJR^2gDhIg~AZ??Ytwo*1 z0$jYjBgrXguT9k&U%5wA-Xee5egKDbd9RecFtU1AM@OO2ymk<&`28*aNKJjC@hA3R zpY`t!H==Dd;$%Z%UH`2GP%o;x#g_j3&8R&@Oe@Mpwb zyd(GRrhRR0QQe+MRSk)KRiY2d7vf0YuDVY}y(uldSwmr}^!9D|?8u_B?v>slCN({8 zfNA276Z2N7c_;qSMBzi;deadxq5P>=>1{I$2Xf%;RYj?=AGARYog!8KTU@*oG%jDL zAZn&p@D!E{TKAZkUk_cYQ<=PHJ%X_oSy!o^BEQ=?mh^t17tU=n9lP2L*Ql@{Fr3AG@o* zmQ;q;w6)!K6TL@CrRJG=Ae>+u7a4GIi$Y~y@fYn=Wjf$c(e5KjZ_?+Kk|&U1wwQ>x z4bN1u)J4wzXz$?%3iABX{)XK5EcPO%eXf1ZWG4)^O{!Vor!(Mj%O3uSsx~u=tfm zQ3bC$l0Z%AvZ%&;i(N-Q(W(a05BxAq9-fCD;w6pc%@wZv`Dr_nl4;&*>d3ik zG3b8+iV6nq)5Dqym-Tb>zZF(Z7cvYP`BKa{O0HmB@=?PxCBj~fK0ZEan;h0&?v5uP z!oo0bpMeDEM5oeB2R-8|5koV>cj#e(o+?!;H}$~=8c9{CZyQe49=FtF<>CLLAC$=t zcoOD?>ciDpIc7nAT`}Ruv-GwpM2)Y8`^RZ7KZ#tT}_0UIgu$PnhTp$HA{$xT-_ng#%qSR`S_znNVlA&uxFw#>5Fhf`u}d4Sm;om>Dq#G) z-=;8ZR!s6Qeo^=MqLKiJ9iQ4F=uU1**F2C+sATk>Vov`1>SchPmbxmCiuIjJwP3+* zILB)|$Z7mD-QDo8o8suCDr$27HzysP3S@@gDOJx7Pp*!E%r~8?@2@PuhGbH)AIFAA z?M5OLwO}I5GK&c2&%;f7HY)<`c~3O>$UWNfdsWv<&rfxLlY4|jQX@wI+595+Yn!*2 zcft!iN=@x*tirSl^otk{L?qnW1mx&-8ax|K)zdYq0fKMpyxmker&Qqp?Qb>eN7FtZ z17O*JNK%pwL@Qg^Edx)Jz9}HZ(n_}!9;T}L^%VghY?%d+?=pkIGCh5xK$87`b9F_(8T(L>x4k*UcpTV~c3kD~71>NW4 zBc~0-ugCvnuF(c2=L~8UC8fq08`*Iv0s;d@achxVGX?Ru(}vTq0Ih3DUsqF&qj>a+ z@VAdkS60=!v`fMkmue=d)B>4n6zfm)x)tAA8l=AS359&$FCTbjWv5?ebK&Cez<*aF zeRhD5y^2v>Rli0imTGtfe#e$(@-u%9ly7%p0IyV_AHgPYO#R$0a(NX*1hToz|FGub z7D!jy9|>kR-lZmH4^ail3?U7IYA-uE&g~#X+o%IN|Ksoz zEonn5n~$samRWuITIJR7YQL?6Z~B9f${E`pmSm$V(u-~}4k9T(pUSv5u%=iIIwMgnGie~jZo*~c)2S@DQ$-s2& zfPCZ{GaQ)n*66Nvc$P=iw4IZ!mk0Gxd-fm?-+&G$3oxYCqxO+^mnbN-KoJM)q`7gTp- zYB;-T)Zg(bl6oKzzOvXar#*0$hD$J+GH7e7!_Em>XK!0|7MLE%69%SBEY3Ep(J!0! znH;ipsu1@LxvbU8#m)CqE8^xMwVDIp&;YehLCX_ME0?D(eH0g=Tr2B^XYoBPVR+@} zbng8ou8LPVGb!pTSa4Otsn9@NT>So>v#bWjOX3vk;r|YX)~Y#Eg|^3L&7{%A6^z;? zhndC5=gi;GDvH~agli{1B6|cshIanVPgq-Yrx%#Gb^V8+YhjC`aS@DE-%X%OACHcE5jdOKBw%fDCV zaqu~+qm3GyBG4zb^jk@Nqnmd8nROs8u@v6rb{yue$ro42b%Q#Qt@+2r4=w=0SDTSfBd3xm0}>5N!8_$D@f} zO!#_YMqIdt3K`>)Hp6=xo`*^Rs6L}=0sVAQ0#y<`FPqodJ;PQcU*LH$)D`L-9*~Ro z6lPB7bC!8No|8@7x^d&Ez0Tpc*`EYn6yv=K492-nQ4GWrF}=FLSJJeZ%E>Z$?5+7O zHMo6`cdK{5Iev;cgBYJd6RV@dCLYzOmnDeS^^KbdH=774NSfL_0&DW2!-H&cnv+%e znQy7c&)UG*MMN zl)rdRb%jTp#FpGoHDZanK^>A70y(L>e<%29yj@LL=~9wDsp*?uvx{7zgaY4?%k##k z!G{pZ>j{!E9%Jg9Ujmn=%Q=)C6W}>N0Yl$4W2$mWa%#o99mmNwZfF%i@xVnAJq{W3 zRMA^_2DDxntFaPa16b}qvaAAu_}*8RXms&WHE_9+BbeKa_)HzB=*|_B)zzx zXkvK_o1Q_sy%um@Y%>1YXP(Agrb0YPd9>ksjHs0(2Vz=NtdHEgce_Wc<`@@>bjxZ_ znRv00w}KXm*L}$lr8x!1H`zm?nG12n1TK5&@ZB zIeYP4cCOO+W{5Guc^3u%yv4jR|9xpBp=K>aM_RT7?A9DiM`_2ja~^?vhL-o8<8n@xmHp+V==qzC0zIXBqW5wWNZwdu~SQ1vWSZi zy^g-MqWN%+)kRdqr#2BB34QaV{O3~l&rbt@78b&yhUbp8Apza%u# zz)hRzmfqzO8BhGz)KM+EB`YhCA5?Y7cRm&iur_=977xUvM*ju^iRq-pE zQJbc($>532IXq+f6gBwWEr{MlBw3ZubOd|h`)g-iC0CppzTx+ej^usfN28&FXgDy6 zMXglh7-&nCQ#!CYp~HJj&RPP5`Vp8!Y) zcOYm=!k&6yoZT1HkcApbG4xEc-0%RFIEqGA95y=48r#{{)TQhLf${JGQTwkARTXQH zCH?e@Njul%l=jGl7CS9hK z<=v0%%;)v(gcqC6h)X{>+Gj@h`$a>Cr);Y3rIz(AJ2*BJpoZ#?mLNZ~Z4hcx5>xh= zn?IKwmvYs8-3zq86~akbUA2iPee4LAyv`{n`f0_@BKn-+df^P|S?=bw+h9jJ)?^~qB2beNOm>Nqs(4&^}-Rui0(6h#HdM@X! z)4sle^xInwn5L4Mnc+#;3T4W4YSe(T*U6eZ_@yPi!Ma&-{?HhWV^vLx#K$|au;!AP zUry%eq`x9dt3$+}+T+9<1WSg#ZQ3Hr4`KMdgxiVCmMS1~ON0^Fpm1MVjZaNJv-3_= z#1pUD$?0OpS{ogZ3wcG>zfgLXoSyx;CmO1T9viZ&y-vo$5gtMomrH>S-1{<;LZ0G! z!nkbu6xYSrrzu8uJ0G3fkoo9V=Y^H?W<>yVv_>ny1^Yl}YVbWV9Z>n`fWXAx{5(zu zsqbR;%s+!L`$LZG=lM(@NZz;;sy4tZ>g6OQ!%ptgOsUnMB>!eJd%ip$tgL&qnVX(I z9k7K{JRB4wcXsJ$`0X_^-~7e7R6^baXtg)hMOeqK?HzH#sOOX|ENl8-XzlXP+JCb?Dt#I)zGro$`M^;W0T?wMtGe`!GteC{WpI|5qFvP3r5X8`M}7ET7ZwtN0CneEdM5UDnV&7d1}rPk*e^4&Yx5tmkZwS zB{0YhzjJryP(5Kz3?v8NmoD-CF4*s9$fSzb$wP)SA5|%38eQyzmoAyJU6APyd%00y zqtF9y8v_&IpM>`u;qrwLhHs+CdM?BY`e*PFc_W8cCJl|~$w>AxB#S$6_%AQ@UbM0k zTsdFmME-GPa-5cj;@5f{spQCT|>_lEBm4zF+}D}&-?x`Y3mOxTfob+M5w&u9{*bY57xlF2wm zV%P9W$Lujq==e`7S$_Zy&qh{89C(+m?oXjs8r;FCl}QVf5IKHO$&3?nz3A^d!_^Dz zzPJ~W-Pfk8;%9BS=N@WWG%?+%1wr;*BPtmVl~&K(r=%4e(@N6k-zfTJIUE&VWF%w^ z7N}4w1!Qh>jbeDEpn94XSJh)Olcw01q@0Ob*i|}YJ>PFtRaJuzkcrc#(0?v^Y*GB} zFJE>|R%YuUuSr}TQt2{%WJC0GCGr9QObaN;^TbaXsO57Nhe$tWR+6I!(M~X3ri$|S zS&Nnzf5y9BbzmegBL(EcY_3Nh57f$gKW>&7x~abYJ6U7Rpn-79i$*IQ6Z6B=e7|fjhLX$QBPy z!0nG5%obEP6nnoUN{OUuB8zP@A~Udk%Y#aP9e4!zi$866=AR>fSU`PY;g{yd-u#}4 z+he)N@D6X>8j`E;1@h`I)G znWCtbRpPjkQII_^WXH2c^Nds&8bTakoG?nWycU z&bar|9?})Icwht^Uf5mz*H2KSW*5bHK}%lxt_Ju(hD1plj@&&u2(2OWSjviJXPrU& z+N;N8i{gzw^N|0|YP;iKx!EfJ$`hHEk*^7gg7*R(lPgBw!t^>*gw z99fU=czo`$0zJx`Ip5J}xJ|$` zJ0A_1U&VlGm)2*=Bmj1&d<%9~CcWo0+J^Cw9eta2;2AY@J~21WvL!I#wfkLiDEOo- zn0edpw4jD#24x{!a~mjknM_=U#Qym4gEqaO?OF9#)4#xuS)MF814;EiKBMfOt*KDf z7(0@gd8bOkHQKy-UWzJo(n78@HG2p?D}jk&)!h>=0Zlmd)XD0svHjr8-ipc=;2JVY zJFCfLy5~|o!U*}z?S~HU|~hiZc4>_h2ma zbY!8q8x62<;{%)gBG__XR`K!GVSyZX92!LF)E^As-(gb zbLQ4#tH~fSnFCea#Q6y{inM_7AnAFYotzc29*r}f%vSPikg(4%`+?IjEc_<}m;h3i zy(Of(6lxc~-5r#JfpmD1-gG+$Xbso+wu59JNQ<0HhW{#)eSgLZ$kev~Vait$ByaCt zFzj3>>9GA30lYpnu#AVrQXqVPt?YZJ z>06Fy**oDPBNp#Xr&ewb)OOPB4T{!PRoE_#d7C+Vp@Em0&$3^mrIoANErpg!cKcm4 z;tIxCM(UoU8T?va*5xQcCv8Nh^=bMr+OG$1g>vq2VT6O3STBIndwc<0Z=z}@IKqMr zu-Zuu*VW0HAApV!%|7MbOor}Xtn)_Ds+Fo?$SR{#L5|4GeTv}Mq>m^A3YNGNM$&vn*~V~uk^ zpI5-ey6w~L>x7H1x9O!k1Dp*kwi8ZRz0co_JF}36c1R~pRfH6QG2cCZlI8X+X<`n2 zGAnzuu0#Xt3m~;`XQs$JbSp17AM(ltvK?fcBYZKqG{i=p|~u~g~@bPwjNg2<2G6UO@+44VLiIr_SbE9>oP?JaLEa@-P7ri+;Q+a#HZQJxq5<_Tej*|^MzU>-K=ap zm67?iO4;I}m(c)4x_TZ8_en^Mv7GThO|(cU&we#R`D?e`*t&;LP(ju5}#<$KL}vsL7{iSsLaF}K81Rl{c)`}z3IE#CaN;u-1cV_#C!C+nY2Rse;g?lLZ_LYo+_ zr;YcxWDZyeuO9j|w~Z_w3_x=O^5A1Kf>uQ$!VN!EW<1*92V}kSguZ}G!l$nj$?==I zfp)f#ac(!~t}a9(T^;-s z-p^#(`t&K2aG8w1x(d1ehv_x4#lgj{l(O4{=pSUkn%;7H{rqqa-5$E%dNymgG8eCS zP%_R>T3a{YZ}KD{uGcN!j%Il-#syFgZW4Q5u^#H>%Yq71JP>=kjW$Nwvj-s^0x-|) zTGKoRVgd;L8fE^YCI?&gUbjUZ@htnT$AO9=iia$U6PV$)@URppyk4R;3|MmIH1k04s z=+`03=lqkar0#XrzWDLovpcPm9`(%=?)5tfC0UK_fxxAxrN*?%r6Sy3H8ns9A?m0r zFT;{vck{SCNR~8*HN6&ohHtrZH#jV8d|uLpZ~e%gy*;!QUqX;4WDpHYui;sm63-2X z5TTLMvP1*7waiR!@EQm+D=cxOr3jR14A{!)cfR_=j0P41J+wa_tJ6y0w4&hMS(HjX@+as`Jj68BaMi8XSP+E7bHHW(4*`|) z8u(cf8L-xqDfE`V*P^|X^GuER+4Gy?h;|>8dQF(3SwlskV*13EyYFQD(Jr z->)5@u&-;^rgIS$^K`Chlya(@p8WjQ*#SoxdE}6oNX4G+6f?c)`K7cDByn9E95-KD zyS!Dxhh~ZCc0`$$*NT$>*}BT#rSl!Vd~fL~#neo~ojko~(4JMudCD+tV74@0&F0Iv z5^@`osqvmFeNA)KO{0^ILa(P+S8J2^w8i8Lbcr)9>7E*1An)Pizhb8IL>R00jSKpF zRc@Mid_`MOr)-d=LZb^>e+}Cb!v94W^VZ&sL}5JYbWDC_EYS%$_q9sjf!^L+*Drlwtd9dRjop3Drwn%Y%?x`Y=eL#hLll9Y zcQfvAwGDtrEy8qj{lkxmsKcJ+X`odcQKN+;>2h4SrSl0f zeblQz?R{t?o+UVJ1|OAn-AzV@aJD!jB8K)pa&A5Td0?hi0l=S$&?wyrE+l451A&50 zJQ*$Hewcp3>E`%=S6EMoGo2%Gt!DMQipWXOZKNq;Gq7W{B~}kqxyupqX3D@_RQ_@1 zzifMBZ;CApoOU^Al+N*`8)dgiTQdqg5OGMK!O+q>@)@Y?=cIE|pKJizp4MUsc6>HQ zNx1fFYvJ{+^sTbv)bO)_qp>#|AcFN$WKZq@l2m@w%IHKzB6_tpVxtvW3jU#Kz(!Be zij!hk-?bFXx{4nZ-8eoP&l)O&F2T}zaF{R?#O%pX?phg=q~N^Ttb&mi-TiL9r3bW}#&TYhk z9jZi<1Zem|q)S_vgBnc8nJ*pdvB*4M#nUY(b6A1sP@q&?fz;fVy8mN{US1x;G0&Jx z<`8M&7%?4>?4CCx3gHnZ+ghpy$zivDHGExZjti>1IFa+-$t=WzI16|yx3=J z#vI;fj11A%&zb3Kd?dCRGSO1fE)xDKF=5E1Tk)x?e&Q%8o4)fo(5dcTf4E9P z-#|!Oi<5@1)GGd6R4xD>rfu)j@iha=6jQ|6ZKaeJ2li8B^^}>Zrg zA`{_9CWEDqpt=PjUK4haY#XkJ`FWWt83k1cM2QL4luaIaanOrU%up|*zAnI-`_b50 zwLc}T1T^~Bxwf^ewyZr(vhVM`brraxrdbV&saT`?b!~RC7G$JZSC&kgdrY;5eP>N9Wz= zdOSd|(3*T$F=6X~iY;beei%4^3F`)5%Ga)tb%v)nm14+(f7`$B=w1 ze5DHO`3{DZP0cEoA{*1DLY!02ce=}>&SZVB%eFk;4>Vmn&ul)4iCAkPAJS*}^7cjA zU&TQ*3KkE~7%l&`5M-MgVi77m{o64wZAk~s zj{pGJn^qhBHO)q89v$B^PYR^t^wi|Z_fzm5|Gg)_=Esp~;u1`UV!HH6-tIrq$ddGL zcgiqWr}BF45E+p{;Wg5O0GJ64O-}Q$r5^Bd25qR&R z^uXZoE&rD0Z+?*|!MESPWY*ZC?P`9#?2l|ZEwm!s5~gjPH=o(GWa z@nnHn{GH9l>5CUbOi{0cQkVNb=>Z6b*9L{-4NKaSwBk=&KJ-k)6He(kGd>M@%0$T4m zwy&&O?rR#a7uJpmcS+P=HMXwr2gz!uNLz=5KhZHmoo(@Kw=IcNLK%0P zy6%Mf5U*mqc6|EmXx6;-Bt>dpr|)(04Z-)G?RPji8_D$-{k=qVtnx1;r%-JfHL!nAA9EhL{8zRP{0u zweQ!bEVNFkMc6yp^&;1Qa!jTEvK5T_Y2Ueh`yRE>;p_VwzYMPUTV9@e=2eTxt~ah7 z8I$Pu(eiYzc4~0Bnq#)h^ZHrCdH;R6egH9<0?Q1p@p3=w+_sACRizC}E%sCiM${H` z#Fiz&f~jr}%nH*rcEuV)d10eWH@iMS7kyp_)@eOcesN#@gj8bLEtH}fVuF~~k*Xc< z?$AlG{pCuqb&Z!^d2$Dy(~@0pAe@}DoPc&fPl2nTLM8!=tV`k zbO_QxYAB(F03iu;g1`6X&06zj&8+q2kD2BECppPJ-+gxb?(g^WEoZl)v(N91ZIItM zAjN;YAwYIPu``ek((f$#&gc^e-N{>kw{r(E#FL&r@Y-KRL-G#?JIkRTo`<}A(?)2P zp?;^p`D3rvfY|N0l6Bg7G7EKcg#`!Oyiq=SJ~M}V2l_IY-yAnG>XOlZ!5y2XWs8eMuyxJ*KO!d5Y)W z@D5Nl6k$E@yUChwojRL+san^U-mVt5|5SDiZSOP5e&qsBZH4RxicXINeW~TZ9>^>2v~JlT?k7!4QIm0m3E?D-#CdiU z4lE=e5?r(1M@5*44YQ+@)Q)FwNby;>%T62?LCt8<+cWy??*(*wS<2*PQ%Swtw%^m- z=-=BUdaQhZs!-ZmlfU^Xufg90KRxtx!=9NZO)rp2Zt-V(9?XKZfNP~8A@_2eYjHze zw~nF7#Pj}crv57cdmMQ(@|GgEd~zA)^mjzWtW|gFJ!@S&{!fr1ym`=kHP%^a^>A}1 zsxMy1CcW*a=lIceS}h~T87iCfpxh&)4=timLm8H+=)VFn2I=%%_gW0RTv`;E!3TfP zQizS#h5O4b$vCN+#&ik+Jo6>5MC@kp%hzhq?}IP*Vu9$=(Ha@t^$f@V%G2cyWSh+!?`MONcE zr)ufTM5K6y3SSv!I7Yn1-51K4dqkh=G^iE*~)bE&1n8c<$k3E_$C3r2MNPDaNVi~iq2ICjNi|no2V#ffiXUDF4X4b(>b$$)CVC=eOIH zJASPS__5XWl=P9|CZ66`BLKB!yprD7I4b6j;)!P+5NqZI<*JBsmDh;|95ygbfIt*# zru9HZ7*bbQ91vQm6V09lR?GK=8AGjBc-WJZPGmPT>b# zTc5)HL?`Xr@T-eE`A=gr8RPi<)f1&`JMc~UhYA)kG9>gd&Ra9EG{T1Dyt0L}Qc)#M z(7e%XeracT_aUeI@_DJ#n;Txjb1$P$UAN~XY)c|InNT0)@WGlZqNyOz_V{7o8coPy zB=ND%kUd7A`($e?)DgkJK1^dWJ_qpWHVrqV0aibMZlrxP@S4K zHiZmxQs6QT2p(p>v3;3mZpKZ*$7}CRsr>uk2Zc@TE3i9RKaC0)LrlvKpHv+N_o8xW z5*bqbW!vlJeEr^4bi}hqgU)jg+$|&wRpifVFCoPBoXdD>QlOhGPtsBoUA^^RMxm%B zH@5BvKC8H{Zt~jEJy@vRscMEfI(t8wH@Z`?rrsw2(Kv16SPYvoG8}90i*94MN~>e$ zez2nFA3vQ7>xr$r)~HT9lwO(+@4chJtB#9NKw2xHq!YU{44NvYwY2qr!rW8hq`$4* zozpgNnsAwM=;`D0_<;p-oe*Jt;_b`nnKi0f*PAEwO;Y9U-H!@1Y+io;+J{6Y!^(`K zVaA%c$QL#)Eq#W|?qwp;%E5*QD|;d-NF!|S0MbC8K2^bLEO|YrJK}}_VqG;{<(saF zp-0^}>oVaqejF&g0JHN^##dL@+iCV^gn&Dux!S`djxMOhGD&;AnoZENk^3f=5dTg= z0a|&@*!uwlYh!Hqu9x56(^}7Qf3XY&8TyCt#w&$+ekrA8~vGTLQp);i< zpuDp22j0YNi_05v^vJ%fT1G~dCCgaN03#v* z3s5Vo4n~XO@Xr|D+Uw2)k^F(Ou~=CHbvOvb3T0LAXlhcac|mwXu{mppOzQ9t7pvbO zB!3MgM>W2R9C`y-h%zJvgBT*Cf^o;1;?jCqCDc%6X`44#L)KX@H_jloR*HpD78(FE!s_n+BDH1;k9e<|HNYqWcPPDKIF{jBO3UiYYEQDPfj&@1CAKNKUeUi(Ok@n} zTKu{a{cb3c?JE7)b7dml;a4#0k;j<__-YAE+7Dl<5ibXa@q&2b^Q6A?Kn|uafW_`a z1}<}`p|xmYvZ>V(EIiL+v{{Ni`aaT};Ws*tI#Gb6@j9V~!?c9%q%CxD+z1x- zKozlI_l|fsQN#FNc~_Avm%Y5v6eA%*ELL(9<3b-9l=vRcR{#Cs`NrNYKRFDdutd=77kD0+qsKg`%`h%W!4YHl{ z&acN-`{;LAj5Tbw!}D_p$Z#g#fWwM&6%)tuC?6%MIGoZ?ynG7G$@)ZEHZ(K!WKQrD zD(#RForzh9(6+x@YoxZ3g!f3V>fs*NeNmgFZ*ad171K!HI)(fpZoPe z66t*op4SZ|F93c$`kM8#mw5=vUjPbm5twr6Ri8IZ&{jjuk`V{w1S?|LXs)j7 zX^9ZhNKNStq;)E3wG@4Iciezs!gBF`6r2Sx08lMUY$((EjI2qvG49t(N;_2qc)NI= zeE5vfHqcw_p0o(4Xv`}ae$k3$#w^$hudl0*X~3&0RcN&USaYmaN&+PoQ}&Hjv{*U3 zXxh5gh}^Gw_cySa2Rh#IGY&|pjP|72&pVGy-1M_+?hfd&7#o>U9xH5!Y@$nQ>nk(#|l|8X!d``=i}ZWH%~gg4Sff_B~T{5pjL>%fP| zC^tt<$im=@kz6IlD{{c;6iNa(`5i@#H2>h_t5WG1K8w>|vrI_fRMvh1YBC2%;8s$j z;p$t)%#(-OXy113FT+a6)%yILbSP+nHA$6M_5(>EQOPS};}S;-fqL!B;rlRI!0e1KZq97bH#nU1nJwUH>-zQ%8iwKOdNP44=Ny| z=BvAg8Prv+HKqA38t;mRfLmRjz<7A(f+)5a{)Cp%b7#7gk8e18F)}qn?+_=;l5nY> z8DrjKg8S`4_mW~KefKNp=)dnjh+6--*XE}; zs|b+s!Rav=h{wcu1?gFjscJdrjq4b@*yEtOfa&qRnk#a-1_hXhhKGJQeHUeS!A3@i z`32d)`%1^v%tH;L;EvNss4Bd?(%;K_=i3IF+_4OUWoIX+Qobx5gO+x>t6J-Py|Nu5 znwFWJrl8rd7Wa*(b@e?-mY)np>!SrgB0qG;*NYMR68?OQlKStNuwQ`%@>s2+k+((} zldHhUk9*7KLnDXp9_2>Noy67()W{(7(<6Z_EzM}HraU8MY*(lM83VnTIHPBG zomRNad&27O-&twFD^DzyGN(pHX|GmUs(BkOBu(Df`;HmTb$FZ_(94?_A@;J#;uOkf zAOtGZQ}D6OE3!|ZlWFoUW3Y`^5CU2FNK+DL8-(M7lq@~N+h0gVM|@=6a1K)$5SiL6 zY>SbLe~@QT!7y>q7sCoFo3*K!^i+Uki3PGYOO5AeNO{U(GOfVsh&084mB8kR8vdFnC9ep_lWKq48-gyOY$ksW^cXOvcI@1^*1xHMu z2Rs5kd!Gegzt2%gP5E%TZM1Khmj8VhT?G-63W|+_hbr`nu(uIk6-z zHKXI?Tg1o|iTSgqOHC)oQ7uP}bKW!MdXg@`3%^L}6`c0=1yh+P$NhcB8u1U{MNP$4 zRqe)GA35uLkyG!HjT=ottf+%yP_B@PH4oeo8znSu_JV;nvHOOdOkTvA0))_3zrrc{ zzAyO68uO0kKL)GPCdshLhKubZFHWE{cR_a&k7Nj-itnS_aqYAIOyaS*cRe27hYgq- zH+ef(+$DvjCHzc)wR>CB&7rM_jC&mTu*N1_%Mt@9Jw@V^Q1{rX$;RVrHCAG2?}u;x zePu=^yIfN^t%JX1s5s^G&L66u*`Hz)p-GNacykx0kDm8^^;%|g`CZB!cW}rRu-B0E z^ToFtXx|k2@nzjcF#HMV^(4qq-RV)s=kCvg9Ml>0*_W`(ALrdohHGMV%0B(1`3@w5 zG4>t;Q<8Kn&qCqjh-_KKZRJ9+vGctw-R3 z{um@{RK$(GXo1HIMXlXBQ}@1HbUF4(Z>cZrur;Ko6pztwEGPlKS5A5;K=^&q>%W*z z-3H|zO(V+ym`QB+iqbQE!#~Y5A3uQnNhJ|e)JK6SnP;gHD@i-=4NjxcXT=eSS5#1KTk;>U$OgHGbvLl|A z`r!)=HVD@OzS12sq&6)De28T4*XfB4n@O#*zQPjBB z5o#a{oGii!52GM&s(Ou1-GCCb0ey-gbMH+J11`>us;2C^v;WR>5R0M6g^j{&PL^=lSDxG3rB0cc)tXu*n3jEHA~_tKT0J6 zw44!^NiW_6h)ra^>rrW*k@7-x8yZ^6SGB(Y#Ml0`{GaQ6a4e`EKohmMJnBpomcs>V zC?5qx?+5sWOHNrv?@d3~vaV40W>L!mZr4{@wsKArO0wTdR&6ZLEvfotfF?t^m zBFFS~>7H4$&t3UR$gWq=OG2$&YwWYBVhmVuLI|=LjHR3FqZ1sIpkpi3(=U*nxnnB* zB1T&_=2hQtv!aG&_!XO~86S$6yLU_mOjZ?(w3k0ku=a~={~WH=`@?rvQS&(fhs>D2 zsGZ#GU&Z>QYjuRAFHLUMt1n9!+Y?7CNN?j7ho4k@Wrg-Bq;CkmP*Vk_>p3s8w_V6> zVBYE||H97(Y!5``K0&=}`)KniXiK$d;6`4_w7yMg%QpsKqXAZ()UzEYCl3UJ;igjJ z;Gt~x=Q5LRID=wE+YOqL{U%GGAhNsUPW_o4nZ*aBIC}Q-MEN2sy*TQe^o$*0a$G+_ zu2bu?juVo>Z$($Pq0j+x=8*RvwrPlA(;Va`ivtBB?ujz_Xvf zUHIj|4P4y%4@uVD|9iHQh%+$YtnvdBvYz{^{CxB8xlsNy((iB%nq;~ya+sLwMErCo zI35m;cbqO2>r+lnL;JNk2|80L>$1-@QY@|B;W8_MV8Mk8<#g!}oPZ2dPO z(;tG7+~k3pr+mu*#GB1C`!-0b;t5j9L)@8|7_+Tk&hHjE7cK!K!nVU_PA2O{f2Ngh zoC9}~FXtVy$$y`fTY|-8FT-)UBr-Xms`$UElBeN+UNtn5FWcM3`CyK_KdPAmUPRQ| z4tU`Ue~Xy@oO;}l(t?=SU!Sj8%vvX~Tnkwq?g^oCnTDHvF(jiGpI1Z4gJp7ZXX7*N z3BJC+%a|4BV)W=sU*twh{BztD7b*YcFgDVF?fRd&QL5|!atHXkKO!R-^Zxe?U&5o5 zTjlpoPTz+?%t%68r(X8kb)xPILpxgW1+{4CUF9y7B+q7tw#FQDwjsh{XX0fIs^ES3 zTopC1)QaA3EK zI<9<3g%eu@+|gHJ{>oFLeiyQvHH3%&e6n5e{y%e>n9*_mr>%oRu`s~;;;3>;gr{9m z2s(_A4#XE5E00cl)?yaY=|mu4cTf{Crt6E_Bg5Sbd0Fa&ZeMS;fv}cZj$y7!H}ByA zO0i2C-Iez7A*B@TPt*w$iwz3I_&%X9l3Lc0JlnYS&8JbPIvu8dJF)p$jCQzD-q!nq zxtau(3Kw+A)1g)c|DV`w@>rP|uaQqf#HDr4kd8p+y>MKHwzc9{P+nRK#K1-E379?@ zha7|k_nG=`u=TyaDGS%gihs`Fog?)Sua}x*_^~*xN^GQUh(=DI3#8&nce&xw0EWW1 zh)XU|=@EYIw#YRJscJQ@y|0cvlp*m77aG*f=~YH$-D`2EZ(TyCSr5w-+{R6f(#?`4 zCaG$0X-Cf*`sW#M?u!VwF^i3nRL; zhSHJ`{W$`R^ik1)O^k+areW1n zIGfZpOnsL>d0TwG%9{;DxOzWdxAW5VnVb;4}&+si7wM&0vALDs$r9TQiyKrnPn=MJk0-FA&As5@Aj3 z-Hi@kVW;Xc7>0(pE2KpVshI-Y8i#Yux0`v2MXGkWLx&+Zz`mYeS@)O9;;vn`=|a5}C*D{7b};!kaVxPSCzL`2Re%Y1@S<41%`%@FpFXD;F9o?H&dHhbDE-7#7%bO8 zhs!j-QGRlc-k!?QrAO_%RxUeGI z**BT+UI{}S3t)DIB3mv*qtxvZN$t53SbWzd+c85=q?&E9Gk30%21G|avgS!2x__sW z&fE~}&gsROu`^~Jsn(iHUcXQ;VTwXBhkUPec9>B=F+7)6qEg3G<>=Z!K z%6uJlBWT^-8>HHiVb-V&lK-$r86Fd9clY*-Tt1~(oZ@=p==L(2^X74@aaSt2t0ouE zHtWH2nEHO9Et)i&hW#uM$@F^1vGHOsDWy1KGDx|km?o=tl(-nGQZu@i?s_34M3p`= zc#xhxo~{Tqlk4NFs1dE~x-`$t=wg3=&;O`>Vi0(}#LjsY{s#H_yT)>MS4e>&)u%!^ zvjSlm%yxH-c559iKF`UN~X!M+$-&usq!Mt>zy61kvX4j*j#1kwIWzf~Ebe8=1w58MT_gD&)p0+eJj*MWx0@mi zP-LAqpC(V=yu+FBG=BbsOmZ;^4v^^sot&q3JQUbJ*h8q_h>I|7$-HtKYiZoe#684s{ z#qp!9YSSbgx#rG=Gfjis;<*S)^6303{~JQt|3!K4H)*mi@t?@n)j~if#xdx>iO=)Q z`OUi>EUt}PHE{5megVwjXQW~tZ2do0g3$bTS^ob>_Wn=iBByzhj@*#m)pfbay6sS% zhZK<#C#W&hJEjIWn2WrM#@S+EFoOW{+CMU(s@^`>)HHMVeW4!}fkjFZ+|7NzgdQ&C zzn8IF?Qa&Cc~N$|6aTp(fPoo;k8NpLL=rR48$CvebmC7KnIVw;a_4R8Luktz?yLrG zwXl{wRKF>^SJ-1|XH*#tg5B3T{^|H@d4C+6-C-7`sz=A>1ylgWJk#>XNph^&^#q4& z>@lU3@9XY!?lsdO%+#=?P&dc5;73-{nz+j6in8YC7rC9La;FB^1Enqw1Xit;yM|l1 zirE{MY?$toj&T)v)r2uzQ((`AdBQw=YO01c#Y!b`XLlNKgKXgBBD>pdpLCEeJd`A+ z2=RLrbT~=?{jRIgB8!u5nH0z^`zI}qGYObxjKO4EZlBrld_zE>%;C+B5Q+M z1AHe-Q0~+ETZ_}LGpBq>!nPv~PIHJ%=c-mDI?~BLg!saD;RzVgmcOx+kh#7K;Dez=Wl(9!4B|;YJB`iM?%{qG>`dCZ#Mz zCX5+oZAhDl^9&G%wLkEHhH$>I+zA{sR8MexBg_# zBAk?0RP1H5cRb*QU=JDN0u3Kx!xptGv8fk!)5*#Zf|AUj&W)%1G4}_L8z=kZvHn~S zcS{oRVx|D2hHait4(5kc{3a46u$vOkFz(j$R_hQEezi(p%m#JXn@f`-Wt!GS5z07I zKG7`j;5DO~CyqwDKj;i+pte(rihtu9zZQ;p0vVvWIz?pa#@Rn;{oyq=i$`3bk@Fr% zxK2xJs_2vBxcF7h8E^vhVxL5gcowU9Ntbow=ka4wJdY1XPh{GpGbP%t@inp81#Fo6 zVz#e6PA<5Wx5et`HWIo@S$t{oaBKRYza(3EZ3xQ%b}i?AL-EEYcuTaTgBI z<|#XMuzl*4SxkrKXd3|jKqY=JDE>DlaegM9BCTm=E-BE zubbeHzJ{EZEKB-j$u7&WG!ZtUIhCD=(kGMKCSLQMRh5=m`GxXg@<%qFPJ6`0H0!=~ z^cP+OLm`=L9Ohi)%`C#0SjDvZb33 zq=QFH{Vbz3R#;NlPLI;%aY3gqJ8-V%j}{XV2&#dQ%Dqd`EVV+!nanRmS%+B+LmNxj zoOyu)HD7sIQ?KD*<E;3j<+Ur*=b_Yi;4KP`SH9K{A?bjn1UkTfNjy z>9x~y`@yHy<+Q-mwTzy@6m^28KjU8KAi`M7y=NOp-Tb@TG;yl_NF$2yHoB}2-s7RQ za;L*p^0Nh0m#8kp$=)wSDt;0wR##!_DV>^w`4?2k@Popv=lpwye2YhPKMAUFgTlBj zNHxkT5kV~ynadUL0Gzb9M(|$Ks0S>-=i~uSHToe$qzrW-KsK*DKqC@85Ep++uI%*fo(;ry)3rs;HOnl=j%zN3c*A4v*gv}Px%fD zqm{qDX+q**vuS6%^DPe3txDmI30f#%JyB!hyP?8H6}I%L zRfsc}E`GBSde@LCxrJEXv_zxgcI$?Q3KNDRKB1K5?~9MmpI@*VaclNcRrL7e{5)Hz zR9z+Z9a1{c6W>aRA`qS`^_Tk^G-FDH#) z8M8?i4QMl-REnYT2}_Z^S16!Z?76Kbqro4r6q#gLQ7qZ^fz}1Ro_I4f0_*J^F3QhD zM|E{wb~L$Z2~&EVcF0=5*y2Y(HCXqPRb8DV2RFC%Hi-tGOn(CcNwFA=d}}HH;SNgz z^8ERS@z-f7sQ!A)Gm_}d!!!BZJWDw&qU(Y0Jt;1(_H3$?wu&n8uwm)-MZ+0eX&Io{VS?5lk6{)C=Q!)O@P2E0~@G%*2`VcK3|50+iYjKrs>v_oi zy9xY2Qqngi4O&AEQP!p^8qXlr-HY&GC5hWjAFS zx&TN2G{~W|{1F{+JR3RW!<9I7Ah|`27ZXJjN0I}rV{XnJn0Z9c?a(9-fe$azu#K1g zc&@CGV%rkrV>-5b$W^y8)lo9_ps0X*egAumC64#QNXk9pZIy0Ewl2f{SAS{ZC1pJc zhLkKU0Cr_!eumt+Wey26!EYU*5a+c&VT|LzxQ~uV++crg!(~hl)6D7ZQBo)CNfin# zk|7rzAz1YMp~2#8%^&fvYrxxH0(ZNH)ZP4stgWoQYOB58K{!W)staT|dd2XcH^+Qe zy;?{;i1V32x8t9huf87l#T?jv@4sq_OK>_Rh2j1IzHJibaG=eF-(y%dRpSiVFF)%ZuzSFL5Hn zwpwO0{!8eUe3wJVEEXNiC&GSB>g47+^x=H{|JXn3C&6W}9pQGwGBSLR#Bce6He zzJw^(+IsRX#QuHrn9VcxDeQd0$vATB$3YeQVdU+`&&XhvDCM<5zSF((mS=wvrsYwN z>Tqb_I+T6`gPGRb-vokU-)A(Am)$VNI6kWh4)qz>2r$D>^m{&3>HpX~kGhoA<{OoZEY4bhZEj`aNEPog; z^l$)u5+e2q&A6|B$CN;h&bt+SCN+FcQ8#a+)H@N-l&ugEovvx+`f%|1ZC|m_&`BqL zoV3=p4E4s%T~;(3I65I#Fv|OVBM?t))ja?vB+$<81*KAV|7`0E)POv4J#A5|7xlFs zKCTaX$e)$fa8eWvz&Jo#JI6U^FX=Ux&gl=5@!53Vpmfx!Oa^}Z z!rx>4zd(-20OPOnUt*R0e{rlyAvnx@&BI%lvv0+l{KMx?IjTsBc&nfNX4?6m&pn>k z99QZ#b3=lS{`lwWufbCOn+$85JIDFgFZ}G6pB9pJ1j8PZ^@2;01*4=71_jc z?$+&J-01i1=g$2ey8n-tO*@|)$GLNK3M!C?y1&=|@4f$<@16V2^MCVvvJCKBR5*9; zx0v)>LWs>XZ1#WuixSF$wS3hw)>*?UW zFZK)f)$l_Mw9RV%E&l70da`t&?OvcjuLnV3U-ooRmdw@8&23EzQ=NP8_g@dyR?S&2 zw!HdBNZAJO{mCT3Dy`{X4w%oZdgB8PBU%uRd+0$q5XEC31#5K$tB za9PYve3}vu{xXCY^SpF;BT^=wIwq`7yyELoinpswDTQl?&7Dmgqm-(o%S41wWPBmO z(XbzZJ4c*{D8t9CX&wUF)V=_cMY=Eei`xcaf%17wep#9@IZmBI*_OWsZHXL=vU@Io z-H`8UWiocZg!6;dh_C7;niBIVX#y~GPKH_~1nqK3$jmTe(;;`s>(P z`_Z8_f0Tcc8#N`>gz3Srb^qVVy(1dK51 z1irzeusF~@3?r^l6a4x+kc^lATaTV+8Kf?Y38=tC4Ux>YaFp#&HQ?C% E1G734IsgCw literal 0 HcmV?d00001 diff --git a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig new file mode 100644 index 0000000000000000000000000000000000000000..e25828d780a2256526c8716484d5103afb6e63a8 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-MfL)@~pZ2ZdgB8PBU%uRd+0$q5ZkpKz_5K$tB za9PYve9YDl|7-vKTNzPqgY^)f1cX{I9Et1kP2ns)8;BG-1wy>Ye2-c#JV5p&Vv8!y ziyg~_vkT(B)}|=z%iK^d1z}9SlL)b zJJHw7O>aE?=go*LAs#VNIP5NEa2|VDQE0-thH;&txE`71>GX!j%#PR06UyGN{YY^%<`>P1=t5=xq4>`IU85&>)vXR-8!7+ z*kBXf*`Nl;OUj0Qf`Fu%M@_hN#>BD!Qp7{wR@eze?2T-f8h=VT{a zD~5}Kq@MGxrh=Q*+QXhkcheI%ml+?4Uln>}5x@0^7HBhXt0%E%>uC5=;FgK<+8a!1 zI8|Pgn`gfuGT$EeJ@&07qdiHa<2l=%Nlx0bl#k?~se{aQedr?56)C EY|2s^+yDRo literal 0 HcmV?d00001 diff --git a/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig b/docs/complianced_image/QEMU/signature/harbian-audit_Debian_9.qcow2.sig deleted file mode 100644 index d9fad20f43da01be06f7cb56396bd31ddec33bb6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 566 zcmV-60?GY}0y6{v0SEvc79j-MfL)@~pZ2ZdgB8PBU%uRd+0$dwp#Q+Kk5K$tB za9PYve2%9N{S*>F`7ht3%R^He(Dr)ZUD0YQC%=g4nWXZ~EI$HbFM9paY3E>H*Ubfp zUTFzOY((VC(XS<1PfHvNYUW#3o1JnfCLDL6dFl-Avm#!^OJ;bu*}7KdOtgI9wL%3^Lrr6B6>m-xZ^ED`#@J1 zDNjKb7+mNJ@k;P7{MQ1)VN4mslcBXVcR=+q1YSHfzPaliOK42={{?lR7JiLmrg`F! z$HmKNpcXaBGBJsliOyz`{@#A$PpY1xabL&rw$~m;G8XG#0iR^OW-q}cp9ObC;Sg6m zf0Lt)%;IQ%49mxe8E>bxF$K(_az78}O+<6??F)D4?R~sFj3L)gE)U+YW#6(!)eL&_ zI-7XGZcP&VJmT>p{3~x>S=PZmRwTajmM(G<6B7+zj)7vXFBiNGZjQqGp|zj95!}O$ z@pM6Br%K9HH}bjB7Bp}74Of3dEQXpVz{!j_+S@H^M}aJi52G&}33;|NVQpmqAi|C@ zR*)nD0JO;lTP99a#ET*A@L428XQ%l3Fy_MA5)sqDgTz!HOMDqbh?WpCPJZdgB8PBU%uRd+0$d-+K>!K~5K$tB za9PYve1Z}W|6;$;gY2>r2MOT%sBE&{--TEJOt-T|1z~t4D}?w2^6b6A0Qc~7)SHbH z+vBjvArf^yy8fDWH*}CWVwpg!jQ<-5NP6xjR9?Sj#!4JoUB|42M@YdNplg)D+EKxT zjYX$JIA+!@|7?2IRiKT>*;-msaD6bV|&I2!|d1?#c=g8C*1c<(!EC^rN#27qmW$smh;lk95)Y32dH%qZ{^* z)R5BSa?Yqav4qb1seD$zFJ37%{v!i3TlnqtpY#4qEzP2YsbV9wdT6X_2NB1Dj7=8BR9sl))T8OIzvu{pW8kncj4wUkP|HEFwDSkLHcp*Flt?1N*6$bi^`v&&^vE{7=sL!q5$0ehdI;5qO74>17zMq>I_6VDYU&&*UFErD`YQ;RRkd+*3Xms=e80D2 ET%rRQ-~a#s From e60c1653e0d4ef2ee86f97f23503de2d55ed6e35 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 17 Sep 2019 20:01:46 +0800 Subject: [PATCH 16/34] Update audit rules for debian. --- ... etc.audit.rules.d.audit.rules_for_debian} | 75 ++++++++++++++----- 1 file changed, 55 insertions(+), 20 deletions(-) rename docs/configurations/{etc.audit.rules.d.audit.rules => etc.audit.rules.d.audit.rules_for_debian} (55%) diff --git a/docs/configurations/etc.audit.rules.d.audit.rules b/docs/configurations/etc.audit.rules.d.audit.rules_for_debian similarity index 55% rename from docs/configurations/etc.audit.rules.d.audit.rules rename to docs/configurations/etc.audit.rules.d.audit.rules_for_debian index 5aeeb67..056cea5 100644 --- a/docs/configurations/etc.audit.rules.d.audit.rules +++ b/docs/configurations/etc.audit.rules.d.audit.rules_for_debian @@ -11,7 +11,6 @@ ## Set failure mode to syslog -f 1 - -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change @@ -28,7 +27,9 @@ -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale --w /etc/selinux/ -p wa -k MAC-policy +-w /etc/apparmor/ -p wa -k MAC-policy +-w /etc/apparmor.d/ -p wa -k MAC-policy +-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins @@ -45,20 +46,49 @@ -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/pppd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/dotlockfile -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k sudoers -w /etc/sudoers.d/ -p wa -k sudoers --e 2 --w /var/log/auth.log -p wa -k sudoaction +-w /var/log/sudo.log -p wa -k sudoaction -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules +-w /bin/kmod -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd @@ -70,26 +100,31 @@ -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam -a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam --a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged --a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged --w /etc/audisp/audisp-remote.conf -p wa -k config_file_change --w /etc/audit/auditd.conf -p wa -k config_file_change --w /etc/audit/rules.d/ -p wa -k config_file_change --w /etc/default/grub -p wa -k config_file_change --w /etc/fstab -p wa -k config_file_change --w /etc/hosts.deny -p wa -k config_file_change --w /etc/login.defs -p wa -k config_file_change --w /etc/pam.d/ -p wa -k config_file_change --w /etc/profile -p wa -k config_file_change --w /etc/profile.d/ -p wa -k config_file_change --w /etc/security/ -p wa -k config_file_change --w /etc/iptables/ -p wa -k config_file_change --w /etc/sysctl.conf -p wa -k config_file_change +-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change +-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change +-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change +-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change +-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change +-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change +-a always,exit -F dir=/etc/iptables/ -F perm=wa -k config_file_change +-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod +-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update +-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv +-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv +-e 2 From 1fdb20c58bdefb25c6aae851b049b04385a4543f Mon Sep 17 00:00:00 2001 From: Samson-W Date: Mon, 16 Sep 2019 23:34:33 +0800 Subject: [PATCH 17/34] Add ip6tables rules. --- docs/configurations/etc.iptables.rules.v4.sh | 3 +- docs/configurations/etc.iptables.rules.v6.sh | 107 +++++++++++++++++++ 2 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 docs/configurations/etc.iptables.rules.v6.sh diff --git a/docs/configurations/etc.iptables.rules.v4.sh b/docs/configurations/etc.iptables.rules.v4.sh index 694b134..599f23d 100644 --- a/docs/configurations/etc.iptables.rules.v4.sh +++ b/docs/configurations/etc.iptables.rules.v4.sh @@ -85,11 +85,10 @@ do $IPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT $IPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT - # allow ssh/http/ntp/dhclint only + # allow ssh/ntp/dhclint/http/https only $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT $IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT $IPT -A INPUT -p udp --dport 68 -m state --state NEW -j ACCEPT - ip6tables -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT # $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT diff --git a/docs/configurations/etc.iptables.rules.v6.sh b/docs/configurations/etc.iptables.rules.v6.sh new file mode 100644 index 0000000..e7bb67b --- /dev/null +++ b/docs/configurations/etc.iptables.rules.v6.sh @@ -0,0 +1,107 @@ +#!/bin/bash +IPT="/sbin/ip6tables" +PUB_IFS="ens33" +if [ $# -lt 1 ]; then + echo "Must be set to greater than or equal to a public network interface. usage: $0 eth0, or $0 eth0 eth1" + exit 1 +else + PUB_IFS="$@" + echo "Public interface is $PUB_IFS" +fi + + echo "Starting IPv6 Wall..." + $IPT -F + $IPT -X + $IPT -t nat -F + $IPT -t nat -X + $IPT -t mangle -F + $IPT -t mangle -X + $IPT -N LOGDROP + modprobe ip_conntrack + + +#unlimited +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT +# DROP all incomming traffic +$IPT -P INPUT DROP +$IPT -P OUTPUT DROP +$IPT -P FORWARD DROP + +$IPT -A INPUT -i lo -j ACCEPT +$IPT -A OUTPUT -o lo -j ACCEPT +$IPT -A INPUT -s fe80::/64 -j DROP + +$IPT -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT +$IPT -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT +$IPT -A INPUT -p icmp -m state --state RELATED -j ACCEPT + + +$IPT -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options +$IPT -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT +$IPT -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options + +for PUB_IF in $PUB_IFS +do +# sync + $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn" + $IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP + +# Fragments + $IPT -A INPUT -i ${PUB_IF} -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" + $IPT -A INPUT -i ${PUB_IF} -j DROP + + +# block bad stuff + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans + + $IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + # No smb/windows sharing packets - too much logging + $IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT + $IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT + $IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --set + $IPT -I INPUT -p tcp --dport 22 -i ${PUB_IF} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP + done + # Allow full outgoing connection but no incomming stuff + $IPT -A INPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 4 -j ACCEPT + $IPT -A OUTPUT -p ipv6-icmp -m ipv6-icmp --icmpv6-type 8 -j ACCEPT + + # allow ssh/ntp/dhclint/http/https only + $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT + $IPT -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT + $IPT -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT +# $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT +# $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT + + # allow incoming ICMP ping pong stuff + $IPT -A INPUT -p ipv6-icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + $IPT -A OUTPUT -p ipv6-icmp -m state --state ESTABLISHED,RELATED -j ACCEPT + + # prevent ssh brute force attack + $IPT -A LOGDROP -j LOG + $IPT -A LOGDROP -j DROP + +# Log everything else +# *** Required for psad **** +$IPT -A INPUT -j LOG +$IPT -A FORWARD -j LOG +$IPT -A INPUT -j DROP + +exit 0 From 49b106416478ccd48e5d449f1d951645c881f489 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 18 Sep 2019 15:55:29 +0800 Subject: [PATCH 18/34] Update signature for QEMU image. --- .../how_to_creating_and_making_a_QEMU_img.mkd | 2 +- ...ge_of_harbian_audit_complianced_Debian_9.mkd | 4 ++-- .../signature/debian9.9-harbian-0910.qcow2.sig | Bin 566 -> 592 bytes .../debian9.9-harbian-0910.qcow2.tar.gz.sig | Bin 566 -> 592 bytes 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd index 567f259..fbcb87d 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd @@ -174,6 +174,6 @@ $ sudo poweroff ## sign QEMU image ssh to QEMU server, find QEMU image dir, sign the QEMU image: ``` -root@debian-9:/opt/images# gpg -b harbian-audit_Debian_9.qcow2 +root@debian-9:/opt/images# gpg -u samson -b debian9.9-harbian-0910.qcow2 ``` diff --git a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd index 6605c2f..0e1ecbf 100644 --- a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd +++ b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd @@ -24,9 +24,9 @@ passwd: 2wsx#EDC4rfv%TGB6yhn ``` $ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/debian9.9-harbian-0910.qcow2.sig $ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig -$ gpg --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz +$ gpg -u samson --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz $ tar -xzvf debian9.9-harbian-0910.qcow2.tar.gz -$ gpg --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2 +$ gpg -u samson --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2 ``` ## Use the QEMU image to create virtual machine diff --git a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig index 2832e3836429e00c037e75082dedfdd8d364d538..39d71b390bcd473cbf39c76f10cd2bd9cf1fb1e6 100644 GIT binary patch literal 592 zcmV-W0Za%5$0Wn^q=ZgqGrV{dH$3JDOf^_?qWc)E`!%@6)NpPi_q;V8Rh({D7GW0p>$ zL>NDWW0}>!{nd%QylsE4)aL#ZN%~uRpL5W#N~f7@ZEniMZXd3PFy(%DDqL2iQ4J zl8#(?5%$(04_O9}Ws%29?t>!}c<=1K0+x2DjVf%N>y3K)q)zJ`d6JeNeF%{Ibr3g> zqm7jkFueBitdS$K8q~)1yPI{PGtv~#+?X9R7q+I~P`tAAqME6+f3%MZ(^R+2RIEGJ z4$%i#li%$dg)TKZ;wLJ^y0FH+gv^)!ojz1DUIs+_#e*07AS?!|U40L2T_Ht$WEGpu51T9Ku9$(@(g#VH(B6U>E~+y13*vl43+4LiAOl!o^EHUahUAVCaWy_i&QtJ@pupzraC zI@kh)>{xkUaAOd!xv$UCA$ohfUvD}^aSuO^vJi;fOAW<19FXR55)H eHh%{`7_?A+UiKSAnXtS-KKiIxD0fQa(MP+HA08tB literal 566 zcmV-60?GY}0y6{v0SEvc79j-MfL)@~pZ2ZdgB8PBU%uRd+0$q5XEC31#5K$tB za9PYve3}vu{xXCY^SpF;BT^=wIwq`7yyELoinpswDTQl?&7Dmgqm-(o%S41wWPBmO z(XbzZJ4c*{D8t9CX&wUF)V=_cMY=Eei`xcaf%17wep#9@IZmBI*_OWsZHXL=vU@Io z-H`8UWiocZg!6;dh_C7;niBIVX#y~GPKH_~1nqK3$jmTe(;;`s>(P z`_Z8_f0Tcc8#N`>gz3Srb^qVVy(1dK51 z1irzeusF~@3?r^l6a4x+kc^lATaTV+8Kf?Y38=tC4Ux>YaFp#&HQ?C% E1G734IsgCw diff --git a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig index e25828d780a2256526c8716484d5103afb6e63a8..58dbb4477e1c3db38d800133240fdfe8cf2a6993 100644 GIT binary patch literal 592 zcmV-W0Za%5$0Wn^q=ZgqGrV{dH$3JDOf^_?qWc)E{z5fA@&;1Ws4yGVpf6~PV$h#K>P z72=u~yy6IcI9KNd8!ZtqB)Cm?v310i3Io?2!x>$xns9H{1`e0{W8T~L-z=Tv1<}Rf zUd7osBU3}Su68|YV@u8{)re6B=?l5CsZ0b2ECC(UT`i6dm&<{azghy zQT5qyANT2gLhPBS^yPw93x9ZdgB8PBU%uRd+0$q5ZkpKz_5K$tB za9PYve9YDl|7-vKTNzPqgY^)f1cX{I9Et1kP2ns)8;BG-1wy>Ye2-c#JV5p&Vv8!y ziyg~_vkT(B)}|=z%iK^d1z}9SlL)b zJJHw7O>aE?=go*LAs#VNIP5NEa2|VDQE0-thH;&txE`71>GX!j%#PR06UyGN{YY^%<`>P1=t5=xq4>`IU85&>)vXR-8!7+ z*kBXf*`Nl;OUj0Qf`Fu%M@_hN#>BD!Qp7{wR@eze?2T-f8h=VT{a zD~5}Kq@MGxrh=Q*+QXhkcheI%ml+?4Uln>}5x@0^7HBhXt0%E%>uC5=;FgK<+8a!1 zI8|Pgn`gfuGT$EeJ@&07qdiHa<2l=%Nlx0bl#k?~se{aQedr?56)C EY|2s^+yDRo From 5a066aa04fc6aa1da5f73e8c2f83ba3a5f36058a Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 18 Sep 2019 19:57:13 +0800 Subject: [PATCH 19/34] Update sig for QEMU image. --- .../how_to_creating_and_making_a_QEMU_img.mkd | 2 +- ...ge_of_harbian_audit_complianced_Debian_9.mkd | 4 ++-- .../signature/debian9.9-harbian-0910.qcow2.sig | Bin 592 -> 592 bytes .../debian9.9-harbian-0910.qcow2.tar.gz.sig | Bin 592 -> 592 bytes 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd index fbcb87d..5e384f8 100644 --- a/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd +++ b/docs/complianced_image/QEMU/how_to_creating_and_making_a_QEMU_img.mkd @@ -174,6 +174,6 @@ $ sudo poweroff ## sign QEMU image ssh to QEMU server, find QEMU image dir, sign the QEMU image: ``` -root@debian-9:/opt/images# gpg -u samson -b debian9.9-harbian-0910.qcow2 +root@debian-9:/opt/images# gpg -u Samson -b debian9.9-harbian-0910.qcow2 ``` diff --git a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd index 0e1ecbf..a453a24 100644 --- a/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd +++ b/docs/complianced_image/QEMU/how_to_use_QEMU_image_of_harbian_audit_complianced_Debian_9.mkd @@ -24,9 +24,9 @@ passwd: 2wsx#EDC4rfv%TGB6yhn ``` $ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/debian9.9-harbian-0910.qcow2.sig $ wget https://github.com/hardenedlinux/harbian-audit/blob/master/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig -$ gpg -u samson --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz +$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.tar.gz.sig debian9.9-harbian-0910.qcow2.tar.gz $ tar -xzvf debian9.9-harbian-0910.qcow2.tar.gz -$ gpg -u samson --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2 +$ gpg -u Samson --verify debian9.9-harbian-0910.qcow2.sig debian9.9-harbian-0910.qcow2 ``` ## Use the QEMU image to create virtual machine diff --git a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.sig index 39d71b390bcd473cbf39c76f10cd2bd9cf1fb1e6..96edd48db3ee98b5b8df43782b44ce14c5d97b79 100644 GIT binary patch literal 592 zcmV-W0w48t-J=>CibF68F(FbW#JC)4^0$qX;a~T|SVQq77 zZa`>Za%5$0Wn^q=ZgqGrZ*pe<3JDN}(FbW#JC)7N=MVlnN8#KsQNwdO-nYWh^@tCI z9Z$?gU5xj-3k}%qY znP{~l!vfMRx3VBrq~uED8KHuJoog@$D6H9G{J8WVKHy#^afA(C%u>aX|48_iP+s*^A=a5ef#BfhAT7}}al}!{=+Um6 z@j;)qh=_KQR!Tll)~e$dqILJhh#0{jaqL@PkaRj0_>J_YIc#YYCR*C1@pd7jGikQO zw5^M4K}C?uLsvp|y#kwU z-rbZ(x{>Od+Og$g&C3h*oUEOH3l2cM1iE`>4?QN3PFYa;Wx}mgjFrjfRnJslW&x@^6r3Jiu*Yb!^1Zy&P& literal 592 zcmV-W0Za%5$0Wn^q=ZgqGrV{dH$3JDOf^_?qWc)E`!%@6)NpPi_q;V8Rh({D7GW0p>$ zL>NDWW0}>!{nd%QylsE4)aL#ZN%~uRpL5W#N~f7@ZEniMZXd3PFy(%DDqL2iQ4J zl8#(?5%$(04_O9}Ws%29?t>!}c<=1K0+x2DjVf%N>y3K)q)zJ`d6JeNeF%{Ibr3g> zqm7jkFueBitdS$K8q~)1yPI{PGtv~#+?X9R7q+I~P`tAAqME6+f3%MZ(^R+2RIEGJ z4$%i#li%$dg)TKZ;wLJ^y0FH+gv^)!ojz1DUIs+_#e*07AS?!|U40L2T_Ht$WEGpu51T9Ku9$(@(g#VH(B6U>E~+y13*vl43+4LiAOl!o^EHUahUAVCaWy_i&QtJ@pupzraC zI@kh)>{xkUaAOd!xv$UCA$ohfUvD}^aSuO^vJi;fOAW<19FXR55)H eHh%{`7_?A+UiKSAnXtS-KKiIxD0fQa(MP+HA08tB diff --git a/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig b/docs/complianced_image/QEMU/signature/debian9.9-harbian-0910.qcow2.tar.gz.sig index 58dbb4477e1c3db38d800133240fdfe8cf2a6993..386e0d15d359267fe36ce1a49173e298a8191eb7 100644 GIT binary patch literal 592 zcmV-W0w48t-J=>CibF68F(FbW#JC)4^0$qX=HW?gqVQq77 zZa`>Za%5$0Wn^q=ZgqGrZ*pe<3JDN}(FbW#JC)4_@DKlC=>QirCl#n(eyPT9zE_gy zJV0G$aC40Dw~VX3{QJ?S1>%tU#p7jjC}|?#LvHKkdU0p8eyi9uKK4_Bi5km;>~<-59Gul0y(%j=2U~0vF1sQ4 zlfGRy#xAX@>fxI_AR%gG)P?X8*ZYty8>tf+5YUdFLlEU4Db>>B_+Wg^c&JqP zd0G4&E%DPg}(;C5XuKg6D3g5F0*17Vwx$l#Ci{BEvK%O@ii@#&? z#@XtBOm^=*8>?w=fU+`jF!it2o!+T7tt~ag|h)QS93D zMy?wreJVT?lP6Op)e-34E{)@;{jB#rfl@qwZCAC#&)-gsgoH&EOPiF=4capXZLdMe z0VX3DbU|#9c4fq;o~FOuZPxhynR%)^*y?u)k$ZvAt|-ZYePpjGaO#k}2PO%O3ZLa9 eE4)+|+~2^=^&kr^)*r5*vtGzZa%5$0Wn^q=ZgqGrV{dH$3JDOf^_?qWc)E{z5fA@&;1Ws4yGVpf6~PV$h#K>P z72=u~yy6IcI9KNd8!ZtqB)Cm?v310i3Io?2!x>$xns9H{1`e0{W8T~L-z=Tv1<}Rf zUd7osBU3}Su68|YV@u8{)re6B=?l5CsZ0b2ECC(UT`i6dm&<{azghy zQT5qyANT2gLhPBS^yPw93x9 Date: Mon, 23 Sep 2019 18:44:23 +0800 Subject: [PATCH 20/34] Add --final method for reset password for reguler and root user, and reinit aide database --- bin/hardening.sh | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/bin/hardening.sh b/bin/hardening.sh index efb4108..d0ce0f9 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -24,6 +24,7 @@ ALLOW_SERVICE_LIST=0 SET_HARDENING_LEVEL=0 SUDO_MODE='' INIT_G_CONFIG=0 +FINAL_G_CONFIG=0 usage() { cat << EOF @@ -82,6 +83,12 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: Use --allow-service-list to get a list of supported services. Example: bin/hardening.sh --set-hardening-level 5 --allow-service dns,http + + --final + The final action that needs to be done when all repairs are completed. The action items are: + 1. Use passwd to change the password of the regular and root user to update the user + password strength and robustness; + 2. Aide reinitializes. OPTIONS: @@ -148,6 +155,8 @@ while [[ $# > 0 ]]; do --init) INIT_G_CONFIG=1 ;; + --final + FINAL_G_CONFIG=1 *) usage ;; @@ -170,6 +179,7 @@ fi [ -r $CIS_ROOT_DIR/lib/common.sh ] && . $CIS_ROOT_DIR/lib/common.sh [ -r $CIS_ROOT_DIR/lib/utils.sh ] && . $CIS_ROOT_DIR/lib/utils.sh +# For --init if [ $INIT_G_CONFIG -eq 1 ]; then if [ -r /etc/redhat-release ]; then info "This OS is redhat/CentOS." @@ -194,6 +204,36 @@ else exit 128 fi +# For --final +if [ $FINAL_G_CONFIG -eq 1 ]; then + # Reset passwd for regular and root user + USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}') + for USER in $USERSNAME; do + RESETCONTIN="n" + read -p "Will password of $USER be reset, are you sure to continue?(Y/n)" RESETCONTIN + if [ "$RESETCONTIN" == "Y" ]; then + sudo -u $USER passwd + else + continue + fi + done + RESETCONTIN="n" + read -p "Will password of root be reset, are you sure to continue?(Y/n)" RESETCONTIN + if [ "$RESETCONTIN" == "Y" ]; then + passwd + fi + + # Reinit aide database + info "Will reinitialize the AIDE database" + if [ $OS_RELEASE -eq 1 ]; then + aideinit + elif [ $OS_RELEASE -eq 2 ]; then + aide --init + mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + fi + +fi + # If --allow-service-list is specified, don't run anything, just list the supported services if [ "$ALLOW_SERVICE_LIST" = 1 ] ; then declare -a HARDENING_EXCEPTIONS_LIST From ed97981ac26dbe002227037572a8ca6468148a26 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 24 Sep 2019 18:07:00 +0800 Subject: [PATCH 21/34] Add --final method discription to README doc. --- README-CN.md | 7 ++++++- README.md | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/README-CN.md b/README-CN.md index fd36aa9..41e1c8f 100644 --- a/README-CN.md +++ b/README-CN.md @@ -166,7 +166,12 @@ $ sudo -s $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf $ sudo nft -f ./etc.nftables.conf ``` -5) 使用passwd命令改变所有用户的密码,以满足pam_cracklib模块配置的密码复杂度及健壮性。 +5) 当所有安全基线项都修复完成后,使用--final方法将完成以下的最终的工作: + 1.使用passwd命令去重新设置常规用户及root用户的密码,以满足pam_cracklib模块配置的密码强度和健壮性。 + 2. 重新初始化aide工具的数据库。 +``` +$ sudo bin/hardening.sh --final +``` ## 特别注意 diff --git a/README.md b/README.md index 4c9277e..1f3bbb6 100644 --- a/README.md +++ b/README.md @@ -182,7 +182,12 @@ to do the following(your network interfacename(Example eth0)): $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf $ sudo nft -f ./etc.nftables.conf ``` -5) Use the passwd command to change the passwords of all users to apply the password complexity and robustness of the pam_cracklib module configuration. +5) When all repairs are completed. --final method will: + 1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration. + 2. Aide reinitializes. +``` +$ sudo bin/hardening.sh --final +``` ## Special Note Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). From 5ac0f976c96fa0d13be5babeb291e9a44743a781 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 24 Sep 2019 18:14:18 +0800 Subject: [PATCH 22/34] Update format of hardening.sh --- bin/hardening.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/bin/hardening.sh b/bin/hardening.sh index d0ce0f9..0eb7102 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -33,11 +33,11 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: --help -h Show this help - --init - Initialize the global configuration file(/etc/default/cis-hardening) based - on the release version number. + --init + Initialize the global configuration file(/etc/default/cis-hardening) based + on the release version number. - --apply + --apply Apply hardening for enabled scripts. Beware that NO confirmation is asked whatsoever, which is why you're warmly advised to use --audit before, which can be regarded as a dry-run mode. @@ -82,13 +82,13 @@ $LONG_SCRIPT_NAME [OPTIONS], where RUN_MODE is one of: as http, mail, etc. Can be specified multiple times to allow multiple services. Use --allow-service-list to get a list of supported services. Example: - bin/hardening.sh --set-hardening-level 5 --allow-service dns,http - - --final - The final action that needs to be done when all repairs are completed. The action items are: - 1. Use passwd to change the password of the regular and root user to update the user - password strength and robustness; - 2. Aide reinitializes. + bin/hardening.sh --set-hardening-level 5 --allow-service dns,http + + --final + The final action that needs to be done when all repairs are completed. The action items are: + 1. Use passwd to change the password of the regular and root user to update the user + password strength and robustness; + 2. Aide reinitializes. OPTIONS: From 02a9a64fc02d1a437ee1c29acf5c06e966e7352f Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 24 Sep 2019 18:17:57 +0800 Subject: [PATCH 23/34] Fix some bug. --- bin/hardening.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/hardening.sh b/bin/hardening.sh index 0eb7102..ba72e92 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -155,8 +155,9 @@ while [[ $# > 0 ]]; do --init) INIT_G_CONFIG=1 ;; - --final + --final) FINAL_G_CONFIG=1 + ;; *) usage ;; @@ -231,7 +232,7 @@ if [ $FINAL_G_CONFIG -eq 1 ]; then aide --init mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz fi - + exit 0 fi # If --allow-service-list is specified, don't run anything, just list the supported services From 16e1eeb5bf3f814318da3f31f7276c6d4a204581 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Wed, 25 Sep 2019 15:52:57 +0800 Subject: [PATCH 24/34] Fix a bug: 7.7.5.3 for ip6tables. --- ...5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh index 2a498da..3b2a18e 100755 --- a/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh +++ b/bin/hardening/7.7.5.3_ensure_firewall_rules_exist_for_all_open_ports_for_v6.sh @@ -39,7 +39,7 @@ audit () { if [ "$PROTO_TYPE" == 'udp6' ]; then PROTO_TYPE="udp" fi - LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $4}') + LISTEN_PORT=$(echo ${LISTENING} | awk '{print $4}' | awk -F: '{print $NF}') if [ $($IPS6 -S | grep "^\-A INPUT \-p $PROTO_TYPE" | grep -c "\-\-dport $LISTEN_PORT \-m state \-\-state NEW \-j ACCEPT") -ge 1 ]; then info "Service: protocol $PROTO_TYPE listening port $LISTEN_PORT was set ipv6 firewall rules." else From 09871b9a98bd426fde18799d440e1a1000e88791 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Thu, 26 Sep 2019 04:52:08 +0800 Subject: [PATCH 25/34] Update how_to_creating_and_making_an_AMI_public.mkd --- bin/hardening/8.4.1_install_aide.sh | 2 +- ...w_to_creating_and_making_an_AMI_public.mkd | 51 +++++++++++++++---- 2 files changed, 43 insertions(+), 10 deletions(-) diff --git a/bin/hardening/8.4.1_install_aide.sh b/bin/hardening/8.4.1_install_aide.sh index 60c11c9..e5b9277 100755 --- a/bin/hardening/8.4.1_install_aide.sh +++ b/bin/hardening/8.4.1_install_aide.sh @@ -40,7 +40,7 @@ apply () { mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz else apt_install $PACKAGE - aideinit + aideinit -y -f info "${PACKAGE} is now installed but not fully functionnal, please see readme to go further" fi fi diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index 14de4c5..db6700d 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -24,7 +24,8 @@ The creation process is as follows: ### Pre-Install ``` -$ sudo apt update && sudo apt install -y bc net-tools vim unzip +$ sudo apt update +$ sudo apt install -y bc net-tools bc net-tools pciutils network-manager vim unzip ``` ### Get harbian-audit project @@ -45,30 +46,56 @@ admin@ip:/opt/harbian-audit-master# passwd admin ``` #### Audit && Apply: + +##### First audit && apply: ``` admin@ip:/opt/harbian-audit-master$ sudo cp debian/default /etc/default/cis-hardening admin@ip:/opt/harbian-audit-master$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --init admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --audit-all admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --set-hardening-level 5 +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/7.4.4_hosts_deny.cfg admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.6_remove_nopasswd_sudoers.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.1_install_aide.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/8.4.2_aide_cron.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=disabled/' etc/conf.d/10.1.1_set_password_exp_days.cfg admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply -admin@ip:/opt/harbian-audit-master$ sudo sed -i "/^root/a\admin ALL=(ALL:ALL) ALL" /etc/sudoers admin@ip:/opt/harbian-audit-master$ sudo reboot ``` -After reboot: - +##### Second audit && apply(After reboot) +Configuring the firewall: ``` admin@ip:/opt/harbian-audit-master$ INTERFACENAME="eth0" admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME +admin@ip:/opt/harbian-audit-master$ sudo bash /opt/harbian-audit-master/docs/configurations/etc.iptables.rules.v6.sh $INTERFACENAME admin@ip:/opt/harbian-audit-master$ sudo -s admin@ip:/opt/harbian-audit-master# iptables-save > /etc/iptables/rules.v4 admin@ip:/opt/harbian-audit-master# ip6tables-save > /etc/iptables/rules.v6 +admin@ip:/opt/harbian-audit-master# exit +``` + +Apply need to apply twice items and that items of must apply after first apply: +``` +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5 +admin@ip:/opt/harbian-audit-master$ sudo reboot ``` -Related how to use harbian-audit to adit and apply, please reference: -[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md) +##### Third apply(after reboot) +Apply need to apply three times items: +``` +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5 +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1 +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.2 +admin@ip:/opt/harbian-audit-master$ sudo reboot +``` ### Set issues ``` @@ -89,9 +116,14 @@ $ sudo rm /opt/harbian-audit-master/tmp/backups/* $ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg ``` -#### AIDE RE-INIT +#### Final apply +Reset password for all users and reinit aide database: +``` +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final +``` +#### Uninstall ``` -$ sudo aideinit -y -f +$ sudo apt-get purge --autoremove unzip ``` #### Clear the current log: @@ -147,8 +179,9 @@ $ history -cw ![17](./picture/create-AMI-from-instance-17.png) -## Reference +## Reference +[https://github.com/hardenedlinux/harbian-audit/blob/master/README.md](https://github.com/hardenedlinux/harbian-audit/blob/master/README.md) [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html) [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html) From 2938a3075b554393065f0a90f428306d1595f505 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Thu, 26 Sep 2019 23:31:48 +0800 Subject: [PATCH 26/34] Fix a bug for 6.18 and update how_to_creating_and_making_an_AMI_public.mkd --- ...ure_virusscan_program_update_is_enabled.sh | 48 ++++++++----------- ...w_to_creating_and_making_an_AMI_public.mkd | 4 +- 2 files changed, 21 insertions(+), 31 deletions(-) diff --git a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh index d7956ec..ee75c75 100755 --- a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh +++ b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh @@ -13,48 +13,38 @@ set -e # One error, it's over set -u # One variable unset, it's over HARDENING_LEVEL=4 -VIRULSERVER='clamav-daemon' CLAMAVCONF_DIR='/etc/clamav/clamd.conf' UPDATE_SERVER='clamav-freshclam' # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(systemctl | grep $VIRULSERVER | grep "active running" | wc -l) -ne 1 ]; then - crit "$VIRULSERVER is not runing" - FNRET=1 - else - ok "$VIRULSERVER is runing" - UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}') - if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then - NOWTIME=$(date +"%s") - # This file extension name maybe change to .cvd or .cld - VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*) - INTERVALTIME=$((${NOWTIME}-${VIRUSTIME})) - if [ "${INTERVALTIME}" -ge 604800 ];then - crit "Database file has a date older than seven days from the current date" - FNRET=3 - else - ok "Database file has a date less than seven days from the current date" - FNRET=0 - fi - else - crit "Clamav config file or update dir is not exist" - FNRET=2 - fi - fi + UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}') + if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then + NOWTIME=$(date +"%s") + # This file extension name maybe change to .cvd or .cld + VIRUSTIME=$(stat -c "%Y" "$UPDATE_DIR"/daily.*) + INTERVALTIME=$((${NOWTIME}-${VIRUSTIME})) + if [ "${INTERVALTIME}" -ge 604800 ];then + crit "Clamav database file has a date older than seven days from the current date" + FNRET=3 + else + ok "Clamav database file has a date less than seven days from the current date" + FNRET=0 + fi + else + crit "Clamav config file or update dir is not exist" + FNRET=2 + fi } # This function will be called if the script status is on enabled mode apply () { if [ $FNRET = 0 ]; then - ok "Database file has a date less than seven days from the current date" - elif [ $FNRET = 1 ]; then - warn "Install $VIRULSERVER" - apt-get install -y $VIRULSERVER + ok "Clamav database file has a date less than seven days from the current date" elif [ $FNRET = 2 ]; then warn "Clamav config file or update dir is not exist, please check that is exist or check config" elif [ $FNRET = 3 ]; then - warn "Database file has a date older than seven days from the current date, start clamav-freshclam.service to update" + warn "Clamav database file has a date older than seven days from the current date, start clamav-freshclam.service to update" apt-get install -y $UPDATE_SERVER systemctl start $UPDATE_SERVER fi diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index db6700d..4476cfc 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -77,11 +77,11 @@ admin@ip:/opt/harbian-audit-master# exit Apply need to apply twice items and that items of must apply after first apply: ``` -admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.2 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.1.3 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.12 +admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.1.32_freeze_auditd_conf.cfg +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.1.32 admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5 admin@ip:/opt/harbian-audit-master$ sudo reboot ``` From 5a9dc6808935c65c8f03ad2e48ba7fb7a2bb557b Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 27 Sep 2019 00:33:14 +0800 Subject: [PATCH 27/34] Delete 9.3.20_sshd_UsePrivilegeSeparation, because option UsePrivilegeSeparation has been deprecated since the release of OpenSSH 7.5. --- .../9.3.20_sshd_UsePrivilegeSeparation.sh | 93 ------------------- 1 file changed, 93 deletions(-) delete mode 100755 bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh diff --git a/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh b/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh deleted file mode 100755 index b17e13e..0000000 --- a/bin/hardening/9.3.20_sshd_UsePrivilegeSeparation.sh +++ /dev/null @@ -1,93 +0,0 @@ -#!/bin/bash - -# -# harbian audit 7/8/9 Hardening -# - -# -# 9.3.20 Set SSHD UsePrivilegeSeparation to sandbox (Scored) -# Author : Samson wen, Samson -# - -set -e # One error, it's over -set -u # One variable unset, it's over - -HARDENING_LEVEL=2 - -PACKAGE='openssh-server' -OPTIONS='UsePrivilegeSeparation=sandbox' -FILE='/etc/ssh/sshd_config' - -# This function will be called if the script status is on enabled / audit mode -audit () { - is_pkg_installed $PACKAGE - if [ $FNRET != 0 ]; then - crit "$PACKAGE is not installed!" - else - ok "$PACKAGE is installed" - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - crit "$PATTERN is not present in $FILE" - fi - done - fi -} - -# This function will be called if the script status is on enabled mode -apply () { - is_pkg_installed $PACKAGE - if [ $FNRET = 0 ]; then - ok "$PACKAGE is installed" - else - crit "$PACKAGE is absent, installing it" - apt_install $PACKAGE - fi - for SSH_OPTION in $OPTIONS; do - SSH_PARAM=$(echo $SSH_OPTION | cut -d= -f 1) - SSH_VALUE=$(echo $SSH_OPTION | cut -d= -f 2) - PATTERN="^$SSH_PARAM[[:space:]]*$SSH_VALUE" - does_pattern_exist_in_file $FILE "$PATTERN" - if [ $FNRET = 0 ]; then - ok "$PATTERN is present in $FILE" - else - warn "$PATTERN is not present in $FILE, adding it" - does_pattern_exist_in_file $FILE "^$SSH_PARAM" - if [ $FNRET != 0 ]; then - add_end_of_file $FILE "$SSH_PARAM $SSH_VALUE" - else - info "Parameter $SSH_PARAM is present but with the wrong value -- Fixing" - replace_in_file $FILE "^$SSH_PARAM[[:space:]]*.*" "$SSH_PARAM $SSH_VALUE" - fi - /etc/init.d/ssh reload > /dev/null 2>&1 - fi - done -} - -# This function will check config parameters required -check_config() { - : -} - -# Source Root Dir Parameter -if [ -r /etc/default/cis-hardening ]; then - . /etc/default/cis-hardening -fi -if [ -z "$CIS_ROOT_DIR" ]; then - echo "There is no /etc/default/cis-hardening file nor cis-hardening directory in current environment." - echo "Cannot source CIS_ROOT_DIR variable, aborting." - exit 128 -fi - -# Main function, will call the proper functions given the configuration (audit, enabled, disabled) -if [ -r $CIS_ROOT_DIR/lib/main.sh ]; then - . $CIS_ROOT_DIR/lib/main.sh -else - echo "Cannot find main.sh, have you correctly defined your root directory? Current value is $CIS_ROOT_DIR in /etc/default/cis-hardening" - exit 128 -fi From 5280e0a3ef68935f848aa4092a3172e92bcebf74 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 27 Sep 2019 17:19:11 +0800 Subject: [PATCH 28/34] Update how_to_creating_and_making_an_AMI_public.mkd and modify bin/hardening.sh --- bin/hardening.sh | 10 +++++----- .../how_to_creating_and_making_an_AMI_public.mkd | 15 ++++++++------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/bin/hardening.sh b/bin/hardening.sh index ba72e92..6635e1f 100755 --- a/bin/hardening.sh +++ b/bin/hardening.sh @@ -211,16 +211,16 @@ if [ $FINAL_G_CONFIG -eq 1 ]; then USERSNAME=$(cat /etc/passwd | awk -F':' '{if($3>=1000 && $3<65534) {print $1}}') for USER in $USERSNAME; do RESETCONTIN="n" - read -p "Will password of $USER be reset, are you sure to continue?(Y/n)" RESETCONTIN - if [ "$RESETCONTIN" == "Y" ]; then - sudo -u $USER passwd + read -p "Will password of $USER be reset, are you sure to continue?(y/N)" RESETCONTIN + if [ "$RESETCONTIN" == "y" ]; then + passwd $USER else continue fi done RESETCONTIN="n" - read -p "Will password of root be reset, are you sure to continue?(Y/n)" RESETCONTIN - if [ "$RESETCONTIN" == "Y" ]; then + read -p "Will password of root be reset, are you sure to continue?(y/N)" RESETCONTIN + if [ "$RESETCONTIN" == "y" ]; then passwd fi diff --git a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd index 4476cfc..3fed1ae 100644 --- a/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd +++ b/docs/complianced_image/AMI/how_to_creating_and_making_an_AMI_public.mkd @@ -89,7 +89,6 @@ admin@ip:/opt/harbian-audit-master$ sudo reboot ##### Third apply(after reboot) Apply need to apply three times items: ``` -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 4.5 admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.1_install_aide.cfg admin@ip:/opt/harbian-audit-master$ sudo sed -i 's/^status=.*/status=enabled/' etc/conf.d/8.4.2_aide_cron.cfg admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --apply --only 8.4.1 @@ -116,14 +115,9 @@ $ sudo rm /opt/harbian-audit-master/tmp/backups/* $ sudo rm /opt/harbian-audit-master/etc/conf.d/*.cfg ``` -#### Final apply -Reset password for all users and reinit aide database: -``` -admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final -``` #### Uninstall ``` -$ sudo apt-get purge --autoremove unzip +$ sudo apt-get purge --autoremove unzip -y ``` #### Clear the current log: @@ -145,6 +139,13 @@ $ sudo -s # echo > /var/log/tallylog # echo > /var/log/lastlog # echo > /var/log/wtmp +# echo > /var/log/sudo.log +``` + +#### Final apply +Reset password for all users and reinit aide database: +``` +admin@ip:/opt/harbian-audit-master$ sudo ./bin/hardening.sh --final ``` #### Clear bash hostory From af047a4f564914ccc065f97f1d75cf21cc028d6b Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 27 Sep 2019 17:57:31 +0800 Subject: [PATCH 29/34] Update AMI ID in Readme doc. --- README-CN.md | 6 +++--- README.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README-CN.md b/README-CN.md index 41e1c8f..d9543e5 100644 --- a/README-CN.md +++ b/README-CN.md @@ -238,15 +238,15 @@ This document is a description of the additions to the sections not included in The HardenedLinux community has created public AMI images for three different regions. Destination region: US East(Ohio) -AMI ID: ami-0459b7f679f8941a4 +AMI ID: ami-091d37e9d358aaa84 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: EU(Frankfurt) -AMI ID: ami-022f30970530a0c5b +AMI ID: ami-073725a8c2cf45418 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: Asia Pacific(Tokyo) -AMI ID: ami-003de0c48c2711265 +AMI ID: ami-06c0adb6ee5e7d417 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 #### 相关文档 diff --git a/README.md b/README.md index 1f3bbb6..0053b1c 100644 --- a/README.md +++ b/README.md @@ -260,15 +260,15 @@ This document is a description of the additions to the sections not included in The HardenedLinux community has created public AMI images for three different regions. Destination region: US East(Ohio) -AMI ID: ami-0459b7f679f8941a4 +AMI ID: ami-091d37e9d358aaa84 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: EU(Frankfurt) -AMI ID: ami-022f30970530a0c5b +AMI ID: ami-073725a8c2cf45418 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 Destination region: Asia Pacific(Tokyo) -AMI ID: ami-003de0c48c2711265 +AMI ID: ami-06c0adb6ee5e7d417 AMI Name: harbian-audit complianced for Debian GNU/Linux 9 #### Docs From 15f788cd55c9017611a8d416edfc49e679fe1dde Mon Sep 17 00:00:00 2001 From: Samson-W Date: Sat, 28 Sep 2019 01:16:48 +0800 Subject: [PATCH 30/34] Update Readme --- README-CN.md | 2 -- README.md | 2 -- 2 files changed, 4 deletions(-) diff --git a/README-CN.md b/README-CN.md index d9543e5..82b732c 100644 --- a/README-CN.md +++ b/README-CN.md @@ -186,8 +186,6 @@ $ sudo bin/hardening.sh --final 8.1.1.2 8.1.1.3 8.1.12 - -#### 需要修复3次的项 4.5 ## 玩(如何添加检查项) diff --git a/README.md b/README.md index 0053b1c..00af8e5 100644 --- a/README.md +++ b/README.md @@ -204,8 +204,6 @@ These are all related to the aide. It is best to fix all the items after they ha 8.1.1.2 8.1.1.3 8.1.12 - -### Items that need to be fix three times: 4.5 ## Hacking From 139e9fb683f0424effd9608b64ffcf365b3dcd02 Mon Sep 17 00:00:00 2001 From: SG <13872653+mmguero@users.noreply.github.com> Date: Fri, 4 Oct 2019 09:02:32 -0600 Subject: [PATCH 31/34] remove trailing space from '-w /sbin/insmod -p x -k modules' line which causes check from 8.1.17_record_kernel_modules.sh to fail unless audit rule also contains trailing space --- bin/hardening/8.1.17_record_kernel_modules.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bin/hardening/8.1.17_record_kernel_modules.sh b/bin/hardening/8.1.17_record_kernel_modules.sh index b00ef48..fe43549 100755 --- a/bin/hardening/8.1.17_record_kernel_modules.sh +++ b/bin/hardening/8.1.17_record_kernel_modules.sh @@ -14,13 +14,13 @@ set -u # One variable unset, it's over HARDENING_LEVEL=4 -ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +ARCH64_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /bin/kmod -p x -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -S create_module -S finit_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules' -ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules +ARCH32_AUDIT_PARAMS='-w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -w /bin/kmod -p x -k modules @@ -34,8 +34,8 @@ audit () { d_IFS=$IFS IFS=$'\n' is_64bit_arch - if [ $FNRET=0 ]; then - AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS + if [ $FNRET=0 ]; then + AUDIT_PARAMS=$ARCH64_AUDIT_PARAMS else AUDIT_PARAMS=$ARCH32_AUDIT_PARAMS fi From ed894c0b43f42b55dfd0d559ee66fd9130900c97 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 15 Oct 2019 04:16:44 +0800 Subject: [PATCH 32/34] Fix a bug: when file is not exist, return error --- lib/utils.sh | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/utils.sh b/lib/utils.sh index 75dadd4..78ed2c1 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -152,12 +152,15 @@ has_file_correct_ownership() { has_file_correct_permissions() { local FILE=$1 local PERMISSIONS=$2 - - if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then - FNRET=0 - else + if [ -e $FILE ]; then + if [ $($SUDO_CMD stat -L -c "%a" $1) = "$PERMISSIONS" ]; then + FNRET=0 + else + FNRET=1 + fi + else FNRET=1 - fi + fi } does_pattern_exist_in_file() { From 6a4de4e4d541e0e302652def654c587d07f3c1d1 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Thu, 17 Oct 2019 15:36:19 +0800 Subject: [PATCH 33/34] Fix some bugs for CentOS. --- ....17_ensure_virul_scan_server_is_enabled.sh | 64 +++++++++++++------ ...ure_virusscan_program_update_is_enabled.sh | 38 +++++++++-- lib/utils.sh | 1 + 3 files changed, 78 insertions(+), 25 deletions(-) diff --git a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh index 228e24b..2d236f4 100755 --- a/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh +++ b/bin/hardening/6.17_ensure_virul_scan_server_is_enabled.sh @@ -17,31 +17,53 @@ VIRULSERVER='clamav-daemon' # This function will be called if the script status is on enabled / audit mode audit () { - if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then - if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then - crit "$VIRULSERVER is not runing" - FNRET=2 - else - ok "$VIRULSERVER is enable" - FNRET=0 - fi - else - crit "$VIRULSERVER is not installed" - FNRET=1 - fi + if [ $OS_RELEASE -eq 1 ]; then + if [ $(dpkg -l | grep -c $VIRULSERVER) -ge 1 ]; then + if [ $(systemctl | grep $VIRULSERVER | grep -c "active running") -ne 1 ]; then + crit "$VIRULSERVER is not runing" + FNRET=2 + else + ok "$VIRULSERVER is enable" + FNRET=0 + fi + else + crit "$VIRULSERVER is not installed" + FNRET=1 + fi + elif [ $OS_RELEASE -eq 2 ]; then + if [ $(rpm -qa | grep -c clamd) -ge 1 ]; then + ok "Clamav is installed" + else + crit "Clamav is not install" + fi + else + crit "Current OS is not support!" + fi } # This function will be called if the script status is on enabled mode apply () { - if [ $FNRET = 0 ]; then - ok "$VIRULSERVER is enable" - elif [ $FNRET = 1 ]; then - warn "Install $VIRULSERVER" - apt-get install -y $VIRULSERVER - else - warn "Start server $VIRULSERVER" - systemctl start $VIRULSERVER - fi + if [ $OS_RELEASE -eq 1 ]; then + if [ $FNRET = 0 ]; then + ok "$VIRULSERVER is enable" + elif [ $FNRET = 1 ]; then + warn "Install $VIRULSERVER" + apt-get install -y $VIRULSERVER + else + warn "Start server $VIRULSERVER" + systemctl start $VIRULSERVER + fi + elif [ $OS_RELEASE -eq 2 ]; then + if [ $FNRET = 0 ]; then + ok "$VIRULSERVER is enable" + elif [ $FNRET = 1 ]; then + warn "Install $VIRULSERVER" + yum install -y $VIRULSERVER + else + warn "Start server $VIRULSERVER" + systemctl start $VIRULSERVER + fi + fi } # This function will check config parameters required diff --git a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh index ee75c75..5ed088e 100755 --- a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh +++ b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh @@ -16,8 +16,7 @@ HARDENING_LEVEL=4 CLAMAVCONF_DIR='/etc/clamav/clamd.conf' UPDATE_SERVER='clamav-freshclam' -# This function will be called if the script status is on enabled / audit mode -audit () { +audit_debian () { UPDATE_DIR=$(grep -i databasedirectory "$CLAMAVCONF_DIR" | awk '{print $2}') if [ -d $UPDATE_DIR -a -e $CLAMAVCONF_DIR ]; then NOWTIME=$(date +"%s") @@ -37,8 +36,23 @@ audit () { fi } -# This function will be called if the script status is on enabled mode -apply () { +# todo +audit_redhat () { + : +} + +# This function will be called if the script status is on enabled / audit mode +audit () { + if [ $OS_RELEASE -eq 1 ]; then + audit_debian + elif [ $OS_RELEASE -eq 1 ]; then + audit_redhat + else + crit "Current OS is not support!" + fi +} + +apply_debian () { if [ $FNRET = 0 ]; then ok "Clamav database file has a date less than seven days from the current date" elif [ $FNRET = 2 ]; then @@ -50,6 +64,22 @@ apply () { fi } +# todo +apply_redhat () { + : +} + +# This function will be called if the script status is on enabled mode +apply () { + if [ $OS_RELEASE -eq 1 ]; then + apply_debian + elif [ $OS_RELEASE -eq 1 ]; then + apply_redhat + else + crit "Current OS is not support!" + fi +} + # This function will check config parameters required check_config() { : diff --git a/lib/utils.sh b/lib/utils.sh index 78ed2c1..36ba86b 100644 --- a/lib/utils.sh +++ b/lib/utils.sh @@ -160,6 +160,7 @@ has_file_correct_permissions() { fi else FNRET=1 + info "$FILE is not exist!" fi } From 61327ff5232fce6c33d2908cadd1a43d36c3b052 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Fri, 18 Oct 2019 03:23:30 +0800 Subject: [PATCH 34/34] Fix a bug for 6.18 --- .../6.18_ensure_virusscan_program_update_is_enabled.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh index 5ed088e..10fe2f8 100755 --- a/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh +++ b/bin/hardening/6.18_ensure_virusscan_program_update_is_enabled.sh @@ -45,7 +45,7 @@ audit_redhat () { audit () { if [ $OS_RELEASE -eq 1 ]; then audit_debian - elif [ $OS_RELEASE -eq 1 ]; then + elif [ $OS_RELEASE -eq 2 ]; then audit_redhat else crit "Current OS is not support!" @@ -73,7 +73,7 @@ apply_redhat () { apply () { if [ $OS_RELEASE -eq 1 ]; then apply_debian - elif [ $OS_RELEASE -eq 1 ]; then + elif [ $OS_RELEASE -eq 2 ]; then apply_redhat else crit "Current OS is not support!"