From c5c1fc7a4c8d0243ce13c00bdccd744fe72a53ba Mon Sep 17 00:00:00 2001 From: darrickw Date: Wed, 21 Feb 2024 16:59:59 -0700 Subject: [PATCH 1/2] aria ops logs inspec edits and add ansible content --- .../operations-for-logs/8.x/ansible/README.md | 46 + .../8.x/ansible/playbook.yml | 6 + .../roles/ariaopslogs/defaults/main.yml | 25 + .../roles/ariaopslogs/tasks/ariaopslogs.yml | 303 +++++++ .../ansible/roles/ariaopslogs/tasks/main.yml | 11 + .../ansible/roles/cassandra/defaults/main.yml | 4 + .../roles/cassandra/tasks/cassandra.yml | 80 ++ .../ansible/roles/cassandra/tasks/main.yml | 11 + .../ansible/roles/tcserver/defaults/main.yml | 42 + .../ansible/roles/tcserver/handlers/main.yml | 5 + .../8.x/ansible/roles/tcserver/tasks/main.yml | 11 + .../ansible/roles/tcserver/tasks/tcserver.yml | 822 ++++++++++++++++++ aria/operations-for-logs/8.x/docs/README.md | 13 +- ..._for_Logs_8x_STIG_Readiness_Guide_v1r3.zip | Bin 257234 -> 0 bytes ..._for_Logs_8x_STIG_Readiness_Guide_v1r4.zip | Bin 0 -> 282913 bytes .../8.x/inspec/CHANGELOG.md | 27 + aria/operations-for-logs/8.x/inspec/LICENSE | 2 +- aria/operations-for-logs/8.x/inspec/README.md | 4 +- .../8.x/inspec/ariaopslogs/inspec.yml | 12 +- .../cassandra/controls/VLIC-8X-000006.rb | 2 +- .../cassandra/controls/VLIC-8X-000007.rb | 2 +- .../cassandra/controls/VLIC-8X-000012.rb | 55 -- .../cassandra/controls/VLIC-8X-000013.rb | 2 +- .../cassandra/controls/VLIC-8X-000014.rb | 14 +- .../cassandra/controls/VLIC-8X-000016.rb | 40 - .../8.x/inspec/cassandra/inspec.yml | 12 +- .../operations-for-logs/8.x/inspec/inspec.yml | 10 +- .../inspec/photon/controls/PHTN-40-000003.rb | 55 ++ .../inspec/photon/controls/PHTN-40-000004.rb | 60 ++ .../inspec/photon/controls/PHTN-40-000005.rb | 97 +++ .../inspec/photon/controls/PHTN-40-000007.rb | 43 + .../inspec/photon/controls/PHTN-40-000012.rb | 45 + .../inspec/photon/controls/PHTN-40-000013.rb | 43 + .../inspec/photon/controls/PHTN-40-000014.rb | 52 ++ .../inspec/photon/controls/PHTN-40-000016.rb | 33 + .../inspec/photon/controls/PHTN-40-000019.rb | 57 ++ .../inspec/photon/controls/PHTN-40-000021.rb | 52 ++ .../inspec/photon/controls/PHTN-40-000026.rb | 55 ++ .../inspec/photon/controls/PHTN-40-000030.rb | 45 + .../inspec/photon/controls/PHTN-40-000031.rb | 59 ++ .../inspec/photon/controls/PHTN-40-000035.rb | 49 ++ .../inspec/photon/controls/PHTN-40-000036.rb | 49 ++ .../inspec/photon/controls/PHTN-40-000037.rb | 49 ++ .../inspec/photon/controls/PHTN-40-000038.rb | 51 ++ .../inspec/photon/controls/PHTN-40-000039.rb | 37 + .../inspec/photon/controls/PHTN-40-000040.rb | 30 + .../inspec/photon/controls/PHTN-40-000041.rb | 33 + .../inspec/photon/controls/PHTN-40-000042.rb | 33 + .../inspec/photon/controls/PHTN-40-000043.rb | 45 + .../inspec/photon/controls/PHTN-40-000044.rb | 49 ++ .../inspec/photon/controls/PHTN-40-000046.rb | 77 ++ .../inspec/photon/controls/PHTN-40-000047.rb | 88 ++ .../inspec/photon/controls/PHTN-40-000049.rb | 32 + .../inspec/photon/controls/PHTN-40-000059.rb | 43 + .../inspec/photon/controls/PHTN-40-000066.rb | 58 ++ .../inspec/photon/controls/PHTN-40-000067.rb | 43 + .../inspec/photon/controls/PHTN-40-000068.rb | 44 + .../inspec/photon/controls/PHTN-40-000069.rb | 47 + .../inspec/photon/controls/PHTN-40-000073.rb | 42 + .../inspec/photon/controls/PHTN-40-000074.rb | 43 + .../inspec/photon/controls/PHTN-40-000076.rb | 58 ++ .../inspec/photon/controls/PHTN-40-000078.rb | 54 ++ .../inspec/photon/controls/PHTN-40-000079.rb | 61 ++ .../inspec/photon/controls/PHTN-40-000080.rb | 45 + .../inspec/photon/controls/PHTN-40-000082.rb | 81 ++ .../inspec/photon/controls/PHTN-40-000085.rb | 36 + .../inspec/photon/controls/PHTN-40-000086.rb | 51 ++ .../inspec/photon/controls/PHTN-40-000092.rb | 44 + .../inspec/photon/controls/PHTN-40-000093.rb | 50 ++ .../inspec/photon/controls/PHTN-40-000105.rb | 43 + .../inspec/photon/controls/PHTN-40-000107.rb | 66 ++ .../inspec/photon/controls/PHTN-40-000108.rb | 46 + .../inspec/photon/controls/PHTN-40-000110.rb | 45 + .../inspec/photon/controls/PHTN-40-000111.rb | 64 ++ .../inspec/photon/controls/PHTN-40-000112.rb | 44 + .../inspec/photon/controls/PHTN-40-000127.rb | 38 + .../inspec/photon/controls/PHTN-40-000130.rb | 46 + .../inspec/photon/controls/PHTN-40-000133.rb | 55 ++ .../inspec/photon/controls/PHTN-40-000160.rb | 43 + .../inspec/photon/controls/PHTN-40-000161.rb | 46 + .../inspec/photon/controls/PHTN-40-000173.rb | 64 ++ .../inspec/photon/controls/PHTN-40-000175.rb | 55 ++ .../inspec/photon/controls/PHTN-40-000182.rb | 46 + .../inspec/photon/controls/PHTN-40-000184.rb | 45 + .../inspec/photon/controls/PHTN-40-000185.rb | 37 + .../inspec/photon/controls/PHTN-40-000186.rb | 45 + .../inspec/photon/controls/PHTN-40-000187.rb | 37 + .../inspec/photon/controls/PHTN-40-000188.rb | 42 + .../inspec/photon/controls/PHTN-40-000192.rb | 68 ++ .../inspec/photon/controls/PHTN-40-000193.rb | 52 ++ .../inspec/photon/controls/PHTN-40-000194.rb | 48 + .../inspec/photon/controls/PHTN-40-000195.rb | 52 ++ .../inspec/photon/controls/PHTN-40-000196.rb | 53 ++ .../inspec/photon/controls/PHTN-40-000197.rb | 43 + .../inspec/photon/controls/PHTN-40-000199.rb | 40 + .../inspec/photon/controls/PHTN-40-000200.rb | 51 ++ .../inspec/photon/controls/PHTN-40-000201.rb | 46 + .../inspec/photon/controls/PHTN-40-000203.rb | 46 + .../inspec/photon/controls/PHTN-40-000204.rb | 71 ++ .../inspec/photon/controls/PHTN-40-000206.rb | 42 + .../inspec/photon/controls/PHTN-40-000207.rb | 42 + .../inspec/photon/controls/PHTN-40-000208.rb | 42 + .../inspec/photon/controls/PHTN-40-000209.rb | 37 + .../inspec/photon/controls/PHTN-40-000210.rb | 31 + .../inspec/photon/controls/PHTN-40-000211.rb | 42 + .../inspec/photon/controls/PHTN-40-000212.rb | 42 + .../inspec/photon/controls/PHTN-40-000213.rb | 42 + .../inspec/photon/controls/PHTN-40-000214.rb | 42 + .../inspec/photon/controls/PHTN-40-000215.rb | 42 + .../inspec/photon/controls/PHTN-40-000216.rb | 42 + .../inspec/photon/controls/PHTN-40-000217.rb | 42 + .../inspec/photon/controls/PHTN-40-000218.rb | 42 + .../inspec/photon/controls/PHTN-40-000219.rb | 42 + .../inspec/photon/controls/PHTN-40-000220.rb | 42 + .../inspec/photon/controls/PHTN-40-000221.rb | 42 + .../inspec/photon/controls/PHTN-40-000222.rb | 44 + .../inspec/photon/controls/PHTN-40-000223.rb | 62 ++ .../inspec/photon/controls/PHTN-40-000224.rb | 43 + .../inspec/photon/controls/PHTN-40-000225.rb | 48 + .../inspec/photon/controls/PHTN-40-000226.rb | 48 + .../inspec/photon/controls/PHTN-40-000227.rb | 48 + .../inspec/photon/controls/PHTN-40-000228.rb | 48 + .../inspec/photon/controls/PHTN-40-000229.rb | 48 + .../inspec/photon/controls/PHTN-40-000231.rb | 45 + .../inspec/photon/controls/PHTN-40-000232.rb | 43 + .../inspec/photon/controls/PHTN-40-000233.rb | 50 ++ .../inspec/photon/controls/PHTN-40-000234.rb | 50 ++ .../inspec/photon/controls/PHTN-40-000235.rb | 45 + .../inspec/photon/controls/PHTN-40-000236.rb | 40 + .../inspec/photon/controls/PHTN-40-000237.rb | 59 ++ .../inspec/photon/controls/PHTN-40-000238.rb | 48 + .../inspec/photon/controls/PHTN-40-000239.rb | 61 ++ .../inspec/photon/controls/PHTN-40-000241.rb | 35 + .../inspec/photon/controls/PHTN-40-000242.rb | 33 + .../inspec/photon/controls/PHTN-40-000243.rb | 43 + .../inspec/photon/controls/PHTN-40-000244.rb | 43 + .../inspec/photon/controls/PHTN-40-000245.rb | 46 + .../inspec/photon/controls/PHTN-40-000246.rb | 43 + .../8.x/inspec/photon/files/aide.conf | 68 ++ .../8.x/inspec/photon/files/issue | 6 + .../8.x/inspec/photon/files/tmout.sh | 4 + .../8.x/inspec/photon/inspec.yml | 84 ++ .../inspec/photon/libraries/kernel_module.rb | 118 +++ .../8.x/inspec/photon/libraries/matchers.rb | 153 ++++ .../8.x/inspec/photon/libraries/pam.rb | 358 ++++++++ .../tcserver/controls/TCSV-00-000002.rb | 97 --- .../tcserver/controls/TCSV-00-000025.rb | 32 - .../tcserver/controls/TCSV-00-000026.rb | 33 - .../tcserver/controls/TCSV-00-000037.rb | 47 - .../tcserver/controls/TCSV-00-000045.rb | 56 -- .../tcserver/controls/TCSV-00-000048.rb | 55 -- .../tcserver/controls/TCSV-00-000051.rb | 64 -- .../tcserver/controls/TCSV-00-000088.rb | 34 - .../tcserver/controls/TCSV-00-000100.rb | 95 -- .../tcserver/controls/TCSV-00-000105.rb | 32 - .../tcserver/controls/TCSV-00-000106.rb | 71 -- .../tcserver/controls/TCSV-00-000117.rb | 40 - .../tcserver/controls/TCSV-00-000134.rb | 60 -- .../tcserver/controls/TCSV-00-000141.rb | 33 - .../tcserver/controls/TCSV-00-000147.rb | 40 - .../tcserver/controls/TCSV-00-000148.rb | 40 - .../tcserver/controls/TCSV-00-000149.rb | 40 - .../tcserver/controls/TCSV-00-000152.rb | 41 - .../{TCSV-00-000001.rb => VRLT-8X-000001.rb} | 48 +- .../{TCSV-00-000004.rb => VRLT-8X-000004.rb} | 14 +- .../{TCSV-00-000005.rb => VRLT-8X-000005.rb} | 16 +- .../{TCSV-00-000013.rb => VRLT-8X-000013.rb} | 14 +- .../{TCSV-00-000014.rb => VRLT-8X-000014.rb} | 16 +- .../tcserver/controls/VRLT-8X-000025.rb | 32 + .../tcserver/controls/VRLT-8X-000026.rb | 33 + .../{TCSV-00-000036.rb => VRLT-8X-000036.rb} | 14 +- .../{TCSV-00-000057.rb => VRLT-8X-000057.rb} | 14 +- .../{TCSV-00-000062.rb => VRLT-8X-000062.rb} | 14 +- .../{TCSV-00-000065.rb => VRLT-8X-000065.rb} | 14 +- .../{TCSV-00-000067.rb => VRLT-8X-000067.rb} | 14 +- .../{TCSV-00-000070.rb => VRLT-8X-000070.rb} | 14 +- .../{TCSV-00-000125.rb => VRLT-8X-000125.rb} | 14 +- .../{TCSV-00-000126.rb => VRLT-8X-000126.rb} | 14 +- .../{TCSV-00-000127.rb => VRLT-8X-000127.rb} | 30 +- .../{TCSV-00-000129.rb => VRLT-8X-000129.rb} | 16 +- .../{TCSV-00-000130.rb => VRLT-8X-000130.rb} | 14 +- .../{TCSV-00-000131.rb => VRLT-8X-000131.rb} | 16 +- .../{TCSV-00-000135.rb => VRLT-8X-000135.rb} | 14 +- .../{TCSV-00-000136.rb => VRLT-8X-000136.rb} | 14 +- .../{TCSV-00-000137.rb => VRLT-8X-000137.rb} | 14 +- .../{TCSV-00-000140.rb => VRLT-8X-000140.rb} | 14 +- .../tcserver/controls/VRLT-8X-000141.rb | 30 + .../{TCSV-00-000142.rb => VRLT-8X-000142.rb} | 20 +- .../{TCSV-00-000143.rb => VRLT-8X-000143.rb} | 16 +- .../{TCSV-00-000151.rb => VRLT-8X-000151.rb} | 36 +- .../tcserver/controls/VRLT-8X-000152.rb | 45 + .../{TCSV-00-000154.rb => VRLT-8X-000154.rb} | 16 +- .../{TCSV-00-000155.rb => VRLT-8X-000155.rb} | 16 +- .../8.x/inspec/tcserver/inspec.yml | 12 +- 194 files changed, 7924 insertions(+), 1270 deletions(-) create mode 100644 aria/operations-for-logs/8.x/ansible/README.md create mode 100644 aria/operations-for-logs/8.x/ansible/playbook.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/defaults/main.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/ariaopslogs.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/main.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/cassandra/defaults/main.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/cassandra.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/main.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/tcserver/defaults/main.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/tcserver/handlers/main.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/main.yml create mode 100644 aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/tcserver.yml delete mode 100644 aria/operations-for-logs/8.x/docs/VMware_Aria_Operations_for_Logs_8x_STIG_Readiness_Guide_v1r3.zip create mode 100644 aria/operations-for-logs/8.x/docs/VMware_Aria_Operations_for_Logs_8x_STIG_Readiness_Guide_v1r4.zip delete mode 100644 aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000012.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000016.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000003.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000004.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000005.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000007.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000012.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000013.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000014.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000016.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000019.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000021.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000026.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000030.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000031.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000035.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000036.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000037.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000038.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000039.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000040.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000041.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000042.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000043.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000044.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000046.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000047.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000049.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000059.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000066.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000067.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000068.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000069.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000073.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000074.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000076.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000078.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000079.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000080.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000082.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000085.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000086.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000092.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000093.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000105.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000107.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000108.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000110.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000111.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000112.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000127.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000130.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000133.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000160.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000161.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000173.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000175.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000182.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000184.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000185.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000186.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000187.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000188.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000192.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000193.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000194.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000195.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000196.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000197.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000199.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000200.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000201.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000203.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000204.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000206.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000207.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000208.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000209.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000210.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000211.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000212.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000213.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000214.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000215.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000216.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000217.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000218.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000219.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000220.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000221.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000222.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000223.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000224.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000225.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000226.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000227.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000228.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000229.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000231.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000232.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000233.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000234.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000235.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000236.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000237.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000238.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000239.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000241.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000242.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000243.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000244.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000245.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000246.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/files/aide.conf create mode 100644 aria/operations-for-logs/8.x/inspec/photon/files/issue create mode 100644 aria/operations-for-logs/8.x/inspec/photon/files/tmout.sh create mode 100644 aria/operations-for-logs/8.x/inspec/photon/inspec.yml create mode 100644 aria/operations-for-logs/8.x/inspec/photon/libraries/kernel_module.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/libraries/matchers.rb create mode 100644 aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000002.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000025.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000026.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000037.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000045.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000048.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000051.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000088.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000100.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000105.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000106.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000117.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000134.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000141.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000147.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000148.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000149.rb delete mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000152.rb rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000001.rb => VRLT-8X-000001.rb} (58%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000004.rb => VRLT-8X-000004.rb} (83%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000005.rb => VRLT-8X-000005.rb} (76%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000013.rb => VRLT-8X-000013.rb} (84%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000014.rb => VRLT-8X-000014.rb} (86%) create mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000025.rb create mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000026.rb rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000036.rb => VRLT-8X-000036.rb} (76%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000057.rb => VRLT-8X-000057.rb} (78%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000062.rb => VRLT-8X-000062.rb} (68%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000065.rb => VRLT-8X-000065.rb} (80%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000067.rb => VRLT-8X-000067.rb} (81%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000070.rb => VRLT-8X-000070.rb} (82%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000125.rb => VRLT-8X-000125.rb} (79%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000126.rb => VRLT-8X-000126.rb} (79%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000127.rb => VRLT-8X-000127.rb} (63%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000129.rb => VRLT-8X-000129.rb} (76%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000130.rb => VRLT-8X-000130.rb} (86%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000131.rb => VRLT-8X-000131.rb} (80%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000135.rb => VRLT-8X-000135.rb} (78%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000136.rb => VRLT-8X-000136.rb} (81%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000137.rb => VRLT-8X-000137.rb} (79%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000140.rb => VRLT-8X-000140.rb} (74%) create mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000141.rb rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000142.rb => VRLT-8X-000142.rb} (77%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000143.rb => VRLT-8X-000143.rb} (59%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000151.rb => VRLT-8X-000151.rb} (55%) create mode 100644 aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000152.rb rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000154.rb => VRLT-8X-000154.rb} (63%) rename aria/operations-for-logs/8.x/inspec/tcserver/controls/{TCSV-00-000155.rb => VRLT-8X-000155.rb} (63%) diff --git a/aria/operations-for-logs/8.x/ansible/README.md b/aria/operations-for-logs/8.x/ansible/README.md new file mode 100644 index 00000000..79b704c5 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/README.md @@ -0,0 +1,46 @@ +# vmware-operations-for-logs-8x-stig-ansible-hardening +VMware Aria Operations for Logs 8.x Appliance STIG Readiness Guide Ansible Playbook +Version: Version 1 Release 4: 21 February 2024 +STIG Type: STIG Readiness Guide + +## Overview +This is a hardening playbook that utilizes Ansible to perform automated remediation for STIG compliance of the VMware Aria Operations for Logs 8.x Appliance STIG Readiness Guide. + +## Supported Versions +- VMware Aria Operations for Logs 8.14 + +## !!Important!! +- Please read through the README carefully and familiarize yourself with the playbook and ansible before running this playbook +- As always please ensure you have a back out plan - if needed you can roll back the changes +- In order to run the Photon role it must be installed as a role so that this playbook may find it +- This playbook has not been tested for forward or backward compatibility beyond the version listed under supported versions. + +### Requirements + +- [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/index.html) installed on a machine that can SSH to the target node(s). Tested with Ansible 2.15.9. +- SSH with root access enabled + +## Playbook Structure + +- playbook.yml - Main playbook to run +- /roles//defaults/main.yml - Default variables to use during the run of the playbook +- /roles//tasks/main.yml - Default role task file +- /roles//.yml - task definitions for the role + +## How to run + +Run all controls on a target appliance. Prompt for password and display verbose output +``` +ansible-playbook -i 'IP or FQDN', -u 'root' playbook.yml -k -v -b +``` +Run controls for one service by specifying a tag. +``` +ansible-playbook -i 'IP or FQDN', -u 'root' playbook.yml -k -v -b -t cassandra +``` +Run a specific control by specifying a tag. +``` +ansible-playbook -i 'IP or FQDN', -u 'username' playbook.yml -k -v -b -t VLIC-8X-000007 +``` + +## Misc +- If vars need to be updated we recommend either creating a vars file to specify at the command line or adding them to the main playbook.yml or your own playbook.yml so that it is easy to track what is being altered from the original state. \ No newline at end of file diff --git a/aria/operations-for-logs/8.x/ansible/playbook.yml b/aria/operations-for-logs/8.x/ansible/playbook.yml new file mode 100644 index 00000000..4fe7b3b8 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/playbook.yml @@ -0,0 +1,6 @@ +- name: VRLI 8.x Remediation Automation + hosts: all + roles: + - role: ariaopslogs + - role: cassandra + - role: tcserver diff --git a/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/defaults/main.yml b/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/defaults/main.yml new file mode 100644 index 00000000..e8a34a53 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/defaults/main.yml @@ -0,0 +1,25 @@ +--- +# defaults file for ariaopslogs +ariaopslogs_apipath: "https://{{ inventory_hostname }}:9543/api/v2" +ariaopslogs_username: "admin" +ariaopslogs_password: "VMware1!" + +# VLIA-8X-000001 +ariaopslogs_loginbanner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring | +of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +# VLIA-8X-000002 +ariaopslogs_ntp_servers: + - 0.vmware.pool.ntp.org + - 1.vmware.pool.ntp.org + - 2.vmware.pool.ntp.org + - 3.vmware.pool.ntp.org + +# VLIA-8X-000003 +ariaopslogs_config_base: "/usr/lib/loginsight/application/etc/loginsight-config-base.xml" diff --git a/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/ariaopslogs.yml b/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/ariaopslogs.yml new file mode 100644 index 00000000..799309bd --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/ariaopslogs.yml @@ -0,0 +1,303 @@ +# Generate session token +- name: Generate and get session ID + tags: always + block: + - name: Generate sessionId + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/sessions" + method: POST + headers: + Content-Type: 'application/json' + Accept: 'application/json' + body_format: json + body: '{"username":"{{ ariaopslogs_username }}","password":"{{ ariaopslogs_password }}","provider":"Local"}' + validate_certs: false + register: token + + - name: Extract & save sessionId + ansible.builtin.set_fact: + session_id: "{{ token.json.sessionId }}" + +################################################################################################################################### + +# VLIA-8X-000001 - VMware Aria Operations for Logs must display the standard DoD notice and consent banner before granting access to the system. +- name: VLIA-8X-000001 - VMware Aria Operations for Logs must display the standard DoD notice and consent banner before granting access to the system + tags: [VLIA-8X-000001] + block: + - name: VLIA-8X-000001 - Get Current DoD Consent Details + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/dod" + method: GET + status_code: 200 + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + validate_certs: false + register: response_get_dod + changed_when: false + failed_when: + - response_get_dod.status != 200 + + - name: VLIA-8X-000001 -Update DoD Consent Details + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/dod" + method: PUT + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + body_format: json + body: '{ "enabled" : true, "title" : "DoD Consent", "description" : "{{ ariaopslogs_loginbanner }}", "loginMessageType" : "CONSENT_DIALOG" }' + validate_certs: false + register: response_upd_dod + when: + - not response_get_dod.json.enabled + changed_when: + - response_upd_dod.status == 200 + +################################################################################################################################### + +# VLIA-8X-000002 - VMware Aria Operations for Logs must be configured to synchronize time with an authoritative source. +- name: VLIA-8X-000002 - VMware Aria Operations for Logs must be configured to synchronize time with an authoritative source + tags: [VLIA-8X-000002] + block: + - name: VLIA-8X-000002 - Get time configurations + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/time/config" + method: GET + status_code: 200 + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + validate_certs: false + register: response_get_time + changed_when: false + failed_when: + - response_get_time.status != 200 + + - name: VLIA-8X-000002 - Update time configurations + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/time/config" + method: PUT + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + body_format: json + body: '{ "timeReference": "NTP_SERVER","ntpServers": {{ ariaopslogs_ntp_servers }} }' + validate_certs: false + register: response_upd_time + when: + - response_get_time.json.ntpConfig.timeReference == "ESX_HOST" or response_get_time.json.ntpConfig.ntpServers != ariaopslogs_ntp_servers + changed_when: + - response_upd_time.status == 200 + +################################################################################################################################### + +# VLIA-8X-000003 - VMware Aria Operations for Logs must initiate session auditing upon startup. +- name: VLIA-8X-000003 - VMware Aria Operations for Logs must initiate session auditing upon startup + tags: [VLIA-8X-000003] + block: + - name: VLIA-8X-000003 - Configure log level + community.general.xml: + path: "{{ ariaopslogs_config_base }}" + xpath: '/config/logging/configuration/loggers/logger[@name="com.vmware.loginsight.web.bootstrap.Bootstrapper.audit"]' + attribute: level + value: "info" + state: present + + - name: VLIA-8X-000003 - Configure appenderRef + community.general.xml: + path: "{{ ariaopslogs_config_base }}" + xpath: '/config/logging/configuration/loggers/logger[@name="com.vmware.loginsight.web.bootstrap.Bootstrapper.audit"]/appenderRef' + attribute: ref + value: "AUDIT" + state: present + +################################################################################################################################### + +# VLIA-8X-000004 - VMware Aria Operations for Logs must protect audit information from unauthorized read access. +- name: VLIA-8X-000004 - VMware Aria Operations for Logs must protect audit information from unauthorized read access + tags: [VLIA-8X-000004] + block: + - name: VLIA-8X-000004 - Check log file permissions + ansible.builtin.command: stat -c "%a:%U:%G" /var/log/loginsight/audit.log + register: file_perm + changed_when: false + + - name: VLIA-8X-000004 - Verify and update file permissions + ansible.builtin.file: + path: "/var/log/loginsight/audit.log" + state: file + owner: 'root' + group: 'root' + mode: '640' + +################################################################################################################################### + +# VLIA-8X-000005 - VMware Aria Operations for Logs must enable multifactor authentication. +# This is a manual fix +#### Login to VMware Aria Operations for Logs as an administrator. +#### In the slide-out menu on the left, choose Configuration >> Authentication. +#### Navigate to the "Workspace ONE Access" tab, ensure the "Enable Single Sign-On" radio button is enabled and the details of your Workspace ONE Access instance are correct, then click "Save". +#### Workspace ONE Access must also be configured to support Smart Card authentication. +#### See the accompanying Smart Card configuration guide for Workspace ONE Access. + +################################################################################################################################### + +# VLIA-8X-000006 - VMware Aria Operations for Logs must disable local accounts after 35 days of inactivity. +# This is a manual fix. +#### Login to VMware Aria Operations for Logs as an administrator. +#### In the slide-out menu on the left, choose Configuration >> General. +#### Enable the radio button next to "Password Policy Restriction" and click Save. + +################################################################################################################################### + +# VLIA-8X-000007 - VMware Aria Operations for Logs must terminate user sessions after a period of inactivity. +- name: VLIA-8X-000007 - VMware Aria Operations for Logs must terminate user sessions after a period of inactivity + tags: [VLIA-8X-000007] + block: + - name: VLIA-8X-000007 - Get session timeout + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/ui/browser-session" + method: GET + status_code: 200 + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + validate_certs: false + register: response_get_to + changed_when: false + failed_when: + - response_get_to.status != 200 + + - name: VLIA-8X-000007 - Update session timeout + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/ui/browser-session" + method: PUT + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + body_format: json + body: '{ "timeout" : 30 }' + validate_certs: false + register: response_upd_to + when: + - response_get_to.json.timeout != 30 + changed_when: + - response_upd_to.status == 200 + +################################################################################################################################### + +# VLIA-8X-000008 - VMware Aria Operations for Logs must notify the SA and ISSO when log record retention capacity is low. +- name: VLIA-8X-000008 - VMware Aria Operations for Logs must notify the SA and ISSO when log record retention capacity is low + tags: [VLIA-8X-000008] + block: + - name: VLIA-8X-000008 - Get retention threshold + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/notification/config/retention-threshold" + method: GET + status_code: 200 + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + validate_certs: false + register: response_get_thres + changed_when: false + failed_when: + - response_get_thres.status != 200 + + - name: VLIA-8X-000008 - Update retention threshold + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/notification/config/retention-threshold" + method: PUT + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + body_format: json + body: '{ "sendNotification" : true, "dataInterval" : 1, "intervalUnit" : "MONTHS" }' + validate_certs: false + register: response_upd_thres + when: + - not response_get_thres.json.sendNotification + changed_when: + - response_upd_thres.status == 200 + +################################################################################################################################### + +# VLIA-8X-000009 - VMware Aria Operations for Logs must alert administrators of audit failure events. +# This is a manual fix. +#### Login to VMware Aria Operations for Logs as an administrator. +#### In the slide-out menu on the left, choose Management >> Hosts. +#### Click the checkbox next to "Inactive hosts notification" and configure an alerting threshold for notifications according to organizational policies. + +################################################################################################################################### + +# VLIA-8X-000010 - VMware Aria Operations for Logs must use only DoD PKI-established certificate authorities for verification of the establishment of protected sessions. +# This is a manual fix. +#### Generate or request a new certificate from a trusted certificate authority +#### Login to VMware Aria Operations for Logs as an administrator. +#### In the slide-out menu on the left, choose Configuration >> SSL. +#### Click "Choose File" next to "New Certificate File", select the new certificate file, then click Save. +#### Restart if prompted. + +################################################################################################################################### + +# VLIA-8X-000011 - VMware Aria Operations for Logs must protect API SSL connections. +# This is a manual fix +#### Login to VMware Aria Operations for Logs as an administrator. +#### In the slide-out menu on the left, choose Configuration >> SSL. +#### Ensure "Require SSL Connection" is enabled and click save. + +################################################################################################################################### + +# VLIA-8X-000012 - VMware Aria Operations for Logs must not provide environment information to third parties. +- name: VLIA-8X-000012 - VMware Aria Operations for Logs must not provide environment information to third parties + tags: [VLIA-8X-000012] + block: + - name: VLIA-8X-000012 - Get CEIP + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/ceip" + method: GET + status_code: 200 + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + validate_certs: false + register: response_get_ceip + changed_when: false + failed_when: + - response_get_ceip.status != 200 + + - name: VLIA-8X-000012 - Update CEIP + ansible.builtin.uri: + url: "{{ ariaopslogs_apipath }}/ceip" + method: PUT + headers: + Content-Type: 'application/json' + Accept: 'application/json' + Authorization: "Bearer {{ session_id }}" + body_format: json + body: '{ "feedback" : false }' + validate_certs: false + register: response_upd_ceip + when: + - response_get_ceip.json.feedback + changed_when: + - response_upd_ceip.status == 200 + +################################################################################################################################### + +# VLIA-8X-000056 - VMware Aria Operations for Logs must protect audit information from unauthorized read access. +# This is a manual fix +#### Login to the VMware Aria Operations for Logs admin portal (/admin/) as an administrator. +#### In the menu on the left, choose "Configuration", then "General". +#### On the "General Configuration" page, under "FIPS MODE", ensure "Activate FIPS Mode" is enabled, then click "Save". +#### Note: Once FIPS mode is activated, it can never be de-activated. diff --git a/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/main.yml b/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/main.yml new file mode 100644 index 00000000..920c2e04 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/ariaopslogs/tasks/main.yml @@ -0,0 +1,11 @@ +--- +# tasks file for ariaopslogs + +- name: Include ariaopslogs + ansible.builtin.include_tasks: + file: ariaopslogs.yml + apply: + tags: + - ariaopslogs + tags: + - always diff --git a/aria/operations-for-logs/8.x/ansible/roles/cassandra/defaults/main.yml b/aria/operations-for-logs/8.x/ansible/roles/cassandra/defaults/main.yml new file mode 100644 index 00000000..4f566004 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/cassandra/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for cassandra +cassandra_config: /usr/lib/loginsight/application/lib/apache-cassandra-4.1.3/conf/cassandra.yaml +cassandra_root: /usr/lib/loginsight/application/lib/apache-cassandra-4.1.3 diff --git a/aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/cassandra.yml b/aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/cassandra.yml new file mode 100644 index 00000000..9b5f15ef --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/cassandra.yml @@ -0,0 +1,80 @@ +# VLIC-8X-000006 - The Aria Operations for Logs Cassandra database logs must be protected from unauthorized read access. +- name: VLIC-8X-000006 - The Aria Operations for Logs Cassandra database logs must be protected from unauthorized read access + tags: [VLIC-8X-000006] + block: + - name: VLIC-8X-000006 - Check log file permissions + ansible.builtin.shell: stat -c "%a:%U:%G" /storage/var/loginsight/cassandra.log; + register: file_perm + changed_when: false + + - name: VLIC-8X-000006 - Verify and update file permissions + ansible.builtin.file: + path: "/storage/var/loginsight/cassandra.log" + state: file + owner: 'root' + group: 'root' + mode: '640' + when: item.split(':')[0] != "640" or item.split(':')[1] != "root" or item.split(':')[2] != "root" + with_items: "{{ file_perm.stdout_lines }}" + +################################################################################################################################### + +# VLIC-8X-000007 - The Aria Operations for Logs Cassandra database log configuration file must be protected from unauthorized read access. +- name: VLIC-8X-000007 - The Aria Operations for Logs Cassandra database log configuration file must be protected from unauthorized read access + tags: [VLIC-8X-000007] + block: + - name: VLIC-8X-000007 - Check log conf file permissions + ansible.builtin.shell: stat -c "%a:%U:%G" {{ cassandra_root }}/conf/cassandra.yaml; + register: conf_file_perm + changed_when: false + + - name: VLIC-8X-000007 - Verify and update conf file permissions + ansible.builtin.file: + path: "{{ cassandra_root }}/conf/cassandra.yaml" + state: file + owner: 'root' + group: 'root' + mode: '640' + when: item.split(':')[0] != "640" or item.split(':')[1] != "root" or item.split(':')[2] != "root" + with_items: "{{ conf_file_perm.stdout_lines }}" + +################################################################################################################################### + +# VLIC-8X-000013 - The Aria Operations for Logs Cassandra database must prohibit user installation of logic modules without explicit privileged status. +- name: VLIC-8X-000013 - The Aria Operations for Logs Cassandra database must prohibit user installation of logic modules without explicit privileged status + tags: [VLIC-8X-000013] + block: + - name: VLIC-8X-000013 - Check log conf file permissions + ansible.builtin.shell: stat -c "%a:%U:%G" /usr/lib/loginsight/application/etc/truststore; + register: trust_file_perm + changed_when: false + + - name: VLIC-8X-000013 - Verify and update conf file permissions + ansible.builtin.file: + path: "/usr/lib/loginsight/application/etc/truststore" + state: file + owner: 'root' + group: 'root' + mode: '600' + when: item.split(':')[0] != "600" or item.split(':')[1] != "root" or item.split(':')[2] != "root" + with_items: "{{ trust_file_perm.stdout_lines }}" + +################################################################################################################################### + +# VLIC-8X-000014 - The Aria Operations for Logs Cassandra database must verify there are no user altered roles +- name: VLIC-8X-000014 - TThe Aria Operations for Logs Cassandra database must verify there are no user altered roles + tags: [VLIC-8X-000014] + block: + - name: VLIC-8X-000014 - Get roles from table + ansible.builtin.shell: | + set -o pipefail + {{ cassandra_root }}/bin/cqlsh-no-pass -e 'SELECT role, can_login, member_of FROM system_auth.roles;' | tail -n +4 | head -n -2 + register: roles_whdr + changed_when: false + + - name: VLIC-8X-000014 - Drop roles with unexpected permissions + ansible.builtin.shell: "{{ cassandra_root }}/bin/cqlsh-no-pass -e 'DROP ROLE {{ item.split('|')[0] }};'" + when: '(item.split("|")[0] | trim != "lisuper") or (item.split("|")[1] | trim != "True" or item.split("|")[2] | trim != "null")' + with_items: "{{ roles_whdr.stdout_lines }}" + register: drop_roles_out + changed_when: drop_roles_out.rc != 0 diff --git a/aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/main.yml b/aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/main.yml new file mode 100644 index 00000000..aa15cd00 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/cassandra/tasks/main.yml @@ -0,0 +1,11 @@ +--- +# tasks file for cassandra + +- name: Include cassandra + ansible.builtin.include_tasks: + file: cassandra.yml + apply: + tags: + - cassandra + tags: + - always diff --git a/aria/operations-for-logs/8.x/ansible/roles/tcserver/defaults/main.yml b/aria/operations-for-logs/8.x/ansible/roles/tcserver/defaults/main.yml new file mode 100644 index 00000000..a25ee899 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/tcserver/defaults/main.yml @@ -0,0 +1,42 @@ +--- +# defaults file for tcserver +tcserver_catalina_home: /usr/lib/loginsight/application/etc/3rd_config +tcserver_catalina_base: /usr/lib/loginsight/application/3rd_party/apache-tomcat +tcserver_server_xml_path: /usr/lib/loginsight/application/etc/3rd_config/server.xml +tcserver_web_xml_path: /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml +tcserver_catalina_prop_path: /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties +tcserver_default_namespace: "http://java.sun.com/xml/ns/javaee" + +# TCSV-00-000001 +tcserver_maxthreads: '150' + +# TCSV-00-000014 +# This may need special escaping if special characters are used like & and {# #} {% raw %} and {% endraw %} at the beginning and end will get most of it +# Also " needs to just be a " which turns into " +tcserver_access_log_pattern: '{% raw %}%t %h %l %u "%r" %s %b %D{% endraw %}' + +# TCSV-00-000048 +tcserver_svc_account_name: "root" +tcserver_svc_group: "root" + +# TCSV-00-000070 +tcserver_session_timeout: '30' + +# TCSV-00-000088 +tcserver_core_user: "root" +tcserver_core_group: "root" + +# TCSV-00-000100 +tcserver_allowed_ciphers: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + +# TCSV-00-000106 +tcserver_secure_ssl_protocol: "TLSv1.2" + +# TCSV-00-000125 +tcserver_connection_timeout: "20000" + +# TCSV-00-000126 +tcserver_maxkeep_alive_requests: "50" + +# TCSV-00-000134 +tcserver_shutdown_port: "-1" diff --git a/aria/operations-for-logs/8.x/ansible/roles/tcserver/handlers/main.yml b/aria/operations-for-logs/8.x/ansible/roles/tcserver/handlers/main.yml new file mode 100644 index 00000000..996dfbb2 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/tcserver/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart LI + ansible.builtin.service: + name: loginsight.service + state: restarted diff --git a/aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/main.yml b/aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/main.yml new file mode 100644 index 00000000..17de4dc9 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/main.yml @@ -0,0 +1,11 @@ +--- +# tasks file for tcserver + +- name: Include tcserver + ansible.builtin.include_tasks: + file: tcserver.yml + apply: + tags: + - tcserver + tags: + - always diff --git a/aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/tcserver.yml b/aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/tcserver.yml new file mode 100644 index 00000000..f658d2e2 --- /dev/null +++ b/aria/operations-for-logs/8.x/ansible/roles/tcserver/tasks/tcserver.yml @@ -0,0 +1,822 @@ +# Backup files that may be modified in case restoration is needed +- name: Backup files that may be modified in case restoration is needed + tags: always + block: + - name: Backup files - Create time stamp + ansible.builtin.set_fact: + backup_timestamp: "{{ lookup('pipe', 'date +%Y-%m-%d-%H-%M-%S') }}" + + - name: Backup files - If restoring be sure to restore permissions that original file had!! + ansible.builtin.copy: + remote_src: true + src: "{{ item }}" + dest: "/tmp/ansible-backups-vrli-tcserver-{{ backup_timestamp }}/" + mode: preserve + changed_when: false + with_items: + - '{{ tcserver_server_xml_path }}' + - '{{ tcserver_web_xml_path }}' + - '{{ tcserver_catalina_prop_path }}' + +################################################################################################################################### + +# VRLT-8X-000001 - Tomcat server must limit the number of maximum concurrent connections permitted. +- name: VRLT-8X-000001 - Tomcat server must limit the number of maximum concurrent connections permitted + tags: [VRLT-8X-000001] + block: + - name: VCRP-80-000098 - Count Executors with maxThreads setting + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Executor[@maxThreads]' + count: true + register: executors + + # If Executor node has maxThreads setting, make sure it is set correctly + - name: VRLT-8X-000001 - Add or configure maximum concurrent connections permitted - Executor node + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Executor[@maxThreads]' + attribute: 'maxThreads' + value: '{{ tcserver_maxthreads }}' + pretty_print: true + when: executors.count | default(0) != 0 + notify: Restart LI + + - name: VCRP-80-000098 - Count Connectors with maxThreads setting + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Connector[not(@executor) and not(@redirectPort) and (@maxThreads)]' + count: true + register: connectors + + # Check each Connector that is not a redirect, and is not connected to an Executor - if setting is present, make sure it is correct. + - name: VRLT-8X-000001 - Add or configure maximum concurrent connections permitted - Connector node + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Connector[not(@executor) and not(@redirectPort) and (@maxThreads)]' + attribute: maxThreads + value: '{{ tcserver_maxthreads }}' + pretty_print: true + when: connectors.count | default(0) != 0 + notify: Restart LI + +################################################################################################################################### + +# VRLT-8X-000004-14 - Logging must be configured for each VMware Aria Operations for Logs tc Server application context. +- name: VRLT-8X-000004-14 - Logging must be configured for each The VMware Aria Operations for Logs tc Server application context + tags: [VRLT-8X-000004, VRLT-8X-000014] + block: + - name: VRLT-8X-000004-14 - Configure AccessLogValve for Host container + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]' + attribute: 'pattern' + value: '{{ tcserver_access_log_pattern }}' + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000005 - Cookies must have secure flag set. +- name: VRLT-8X-000005 - Cookies must have secure flag set + tags: [VRLT-8X-000005] + block: + - name: VRLT-8X-000005 - Configure secure cookies + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:session-config/x:cookie-config/x:secure' + value: 'true' + namespaces: + x: "{{ tcserver_default_namespace }}" + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000013 - The VMware Aria Operations for Logs tc Server must initiate session logging upon startup. +# This is a manual fix +# Configure the application to begin logging application events as soon as the application starts up. + +################################################################################################################################### + +# VRLT-8X-000025 - The VMware Aria Operations for Logs tc Server logs folder permissions must be set correctly. +- name: VRLT-8X-000025 - The VMware Aria Operations for Logs tc Server logs folder permissions must be set correctly + tags: [VRLT-8X-000025] + block: + - name: VRLT-8X-000025 - Update logs directories permissions + ansible.builtin.shell: | + set -o pipefail + find {{ tcserver_catalina_base }}/logs -follow -maxdepth 0 -type d | sudo xargs chmod 750 + register: dir_perm_out + failed_when: false + changed_when: false + +################################################################################################################################### + +# VRLT-8X-000026 - Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640. +- name: VRLT-8X-000026 - Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640 + tags: [VRLT-8X-000026] + block: + - name: VRLT-8X-000026 - Update logs files permissions + ansible.builtin.shell: | + set -o pipefail + find {{ tcserver_catalina_base }}/logs/* -follow -maxdepth 0 -type f | sudo xargs chmod 640 + register: file_perm_out + failed_when: false + changed_when: false + +################################################################################################################################### + +# VRLT-8X-000036 - Stack tracing must be disabled. +- name: VRLT-8X-000036- Stack tracing must be disabled + tags: [VRLT-8X-000036] + block: + - name: VRLT-8X-000036 - Remove allowTrace attribute on connectors + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '/Server/Service/Connector/@allowTrace' + state: absent + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000037 - The VMware Aria Operations for Logs tc Server must be configured to use a specified IP address and port. +# This is a manual fix. +#### Edit the $CATALINA_HOME/server.xml file. +#### Navigate to each of the nodes. +#### Configure each node with the value 'address="XXXXX"' and 'port="XXXX"'. +#### Restart LI service + +################################################################################################################################### + +# VRLT-8X-000045 - The The VMware Aria Operations for Logs tc Server must encrypt passwords during transmission. +# - name: VRLT-8X-000045- The The VMware Aria Operations for Logs tc Server must encrypt passwords during transmission +# tags: [VRLT-8X-000045] +# block: +# - name: VRLT-8X-000045 - Configure SSL for secure coonnectors +# community.general.xml: +# path: '{{ tcserver_server_xml_path }}' +# xpath: '//Connector[@port = {{ item }}]' +# attribute: 'SSLEnabled' +# value: 'true' +# state: present +# with_items: +# - "{{ tcserver_secure_ports }}" +# notify: +# - Restart LI + +################################################################################################################################### + +# VRLT-8X-000048 - The VMware Aria Operations for Logs tc Server must only allow authorized system administrators to have access to the keystore. +# - name: VRLT-8X-000048- The VMware Aria Operations for Logs tc Server must only allow authorized system administrators to have access to the keystore +# tags: [VRLT-8X-000048] +# block: +# - name: VRLT-8X-000048 - List keystore files +# ansible.builtin.shell: | +# set -o pipefail +# xmllint --xpath "//Certificate/@certificateKeystoreFile | //Connector/@keystoreFile" {{ tcserver_server_xml_path }} | awk -F "=" '{print $2}' | tr -d '"' +# register: keystore_files +# failed_when: false +# changed_when: false + +# - name: VRLT-8X-000048 - Update file permissions +# ansible.builtin.file: +# path: "{{ tcserver_catalina_base }}/{{ item }}" +# owner: '{{ tcserver_svc_account_name }}' +# group: '{{ tcserver_svc_group }}' +# mode: '640' +# with_items: "{{ keystore_files.stdout_lines }}" +# when: keystore_files.stdout != "" + +################################################################################################################################### + +# VRLT-8X-000051 - The VMware Aria Operations for Logs tc Server must use FIPS-validated ciphers on secured connectors. +# Handled by Application control - VLIA-8X-000056 // SRG-APP-000172-AU-002550 +# - name: VRLT-8X-000051- The VMware Aria Operations for Logs tc Server must use FIPS-validated ciphers on secured connectors +# tags: [VRLT-8X-000051] +# block: +# - name: VRLT-8X-000051 - Enable FIPS mode +# community.general.xml: +# path: '{{ tcserver_server_xml_path }}' +# xpath: '//Listener[contains(@className, "AprLifecycleListener")]' +# attribute: 'FIPSMode' +# value: 'on' +# state: present +# notify: +# - Restart LI + +################################################################################################################################### + +# VRLT-8X-000057 - The VMware Aria Operations for Logs tc Server must be configured to limit data exposure between applications. +- name: VRLT-8X-000057 - The VMware Aria Operations for Logs tc Server must be configured to limit data exposure between applications + tags: [VRLT-8X-000057] + block: + - name: VRLT-8X-000057 - Check for RECYCLE_FACADES config + ansible.builtin.command: grep RECYCLE_FACADES {{ tcserver_catalina_prop_path }} + register: rec_fac_out + failed_when: false + changed_when: false + + - name: VRLT-8X-000057 - Add or configure RECYCLE_FACADES if not set already or misconfigured + ansible.builtin.lineinfile: + path: "{{ tcserver_catalina_prop_path }}" + regexp: 'RECYCLE_FACADES' + line: "org.apache.catalina.connector.RECYCLE_FACADES=true" + state: present + when: rec_fac_out.stdout | trim != "org.apache.catalina.connector.RECYCLE_FACADES=true" + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000062 - The VMware Aria Operations for Logs tc Server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. +- name: VRLT-8X-000062 - The VMware Aria Operations for Logs tc Server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. + tags: [VRLT-8X-000062] + block: + - name: VRLT-8X-000062 - Check for EXIT_ON_INIT_FAILURE config + ansible.builtin.command: grep -i EXIT_ON_INIT_FAILURE {{ tcserver_catalina_prop_path }} + register: exit_fail_out + failed_when: false + changed_when: false + + - name: VRLT-8X-000062 - Add or configure EXIT_ON_INIT_FAILURE if not set already or misconfigured + ansible.builtin.lineinfile: + path: "{{ tcserver_catalina_prop_path }}" + regexp: 'EXIT_ON_INIT_FAILURE' + line: "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true" + state: present + when: exit_fail_out.stdout | trim != "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true" + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000065- The VMware Aria Operations for Logs tc Server must set URIEncoding to UTF-8. +- name: VRLT-8X-000065 - The VMware Aria Operations for Logs tc Server must set URIEncoding to UTF-8 + tags: [VRLT-8X-000065] + block: + - name: VRLT-8X-000065 - Update incorrect URIEncoding attributes on connectors to UTF-8 + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Connector' + attribute: 'URIEncoding' + value: 'UTF-8' + state: present + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000067- The VMware Aria Operations for Logs tc Server "ErrorReportValve showServerInfo" must be set to "false". +- name: VRLT-8X-000067 - The VMware Aria Operations for Logs tc Server "ErrorReportValve showServerInfo" must be set to "false" + tags: [VRLT-8X-000067] + block: + - name: VRLT-8X-000067 - Configure showServerInfo on ErrorReportValve + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.ErrorReportValve"]' + attribute: 'showServerInfo' + value: 'false' + state: present + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000070- The VMware Aria Operations for Logs tc Server must set an inactive timeout for sessions. +- name: VRLT-8X-000070 - The VMware Aria Operations for Logs tc Server must set an inactive timeout for sessions + tags: [VRLT-8X-000070] + block: + - name: VRLT-8X-000070 - Configure session timeout + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:session-config/x:session-timeout' + value: '{{ tcserver_session_timeout }}' + state: present + namespaces: + x: "{{ tcserver_default_namespace }}" + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000105 - The VMware Aria Operations for Logs tc Server must be patched for security vulnerabilities. +# This is a manual fix. +#### Follow operational procedures for upgrading The VMware Aria Operations for Logs tc Server . Download latest version of The VMware Aria Operations for Logs tc Server and install in a test environment. +#### Test applications that are running in production and follow all operations best practices when upgrading the production The VMware Aria Operations for Logs tc Server application servers. +#### Update the The VMware Aria Operations for Logs tc Server production instance accordingly and ensure corrected builds are installed once tested and verified. + +################################################################################################################################### + +# VRLT-8X-000106 - The VMware Aria Operations for Logs tc Server must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. +# - name: VRLT-8X-000106 - The VMware Aria Operations for Logs tc Server must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version +# tags: [VRLT-8X-000106] +# block: +# - name: VRLT-8X-000106 - Configure secure protocol +# community.general.xml: +# path: '{{ tcserver_server_xml_path }}' +# xpath: '//Connector[@port = {{ item }}]' +# attribute: 'sslEnabledProtocols' +# value: '{{ tcserver_secure_ssl_protocol }}' +# state: present +# with_items: +# - "{{ tcserver_secure_ports }}" +# notify: +# - Restart LI + +################################################################################################################################### + +# VRLT-8X-000117 - Changes to $CATALINA_HOME/bin/ folder must be logged. +# - name: VRLT-8X-000117 - Changes to $CATALINA_HOME/bin/ folder must be logged +# tags: [VRLT-8X-000117] +# block: +# - name: VRLT-8X-000117 - Configure audit watch for tomcat +# ansible.builtin.command: auditctl -w {{ tcserver_catalina_home }}/bin -p wa -k {{ tcserver_core_user }} +# register: auditd_out +# changed_when: 'auditd_out.rc == 0 or "Rule exists" not in auditd_out.stderr' +# failed_when: false + +################################################################################################################################### + +# VRLT-8X-000125 - The VMware Aria Operations for Logs tc Server must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. +- name: VRLT-8X-000125 - The VMware Aria Operations for Logs tc Server must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive + tags: [VRLT-8X-000125] + block: + - name: VRLT-8X-000125 - Update incorrect connectionTimeout attribute on connectors + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: "//Connector" + attribute: 'connectionTimeout' + value: '{{ tcserver_connection_timeout }}' + state: present + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000126- The VMware Aria Operations for Logs tc Server must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive. +- name: VRLT-8X-000126 - The VMware Aria Operations for Logs tc Server must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive + tags: [VRLT-8X-000126] + block: + - name: VRLT-8X-000126 - Update incorrect maxKeepAliveRequests attributes on connectors + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: "//Connector" + attribute: 'maxKeepAliveRequests' + value: '{{ tcserver_maxkeep_alive_requests }}' + state: present + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000127- The VMware Aria Operations for Logs tc Server must configure the "setCharacterEncodingFilter" filter. +- name: VRLT-8X-000127 - The VMware Aria Operations for Logs tc Server must configure the "setCharacterEncodingFilter" filter + tags: [VRLT-8X-000127] + block: + - name: VRLT-8X-000127 - Check for filter-mapping + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter-mapping[x:filter-name="setCharacterEncodingFilter"]' + count: true + namespaces: + x: "{{ tcserver_default_namespace }}" + register: filtermaphits + + - name: VRLT-8X-000127 - Create filter-mapping element + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app' + add_children: + - filter-mapping: + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + when: + - filtermaphits.count == 0 + + - name: VRLT-8X-000127 - Create filter-mapping name + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter-mapping[last()]/x:filter-name' + value: 'setCharacterEncodingFilter' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + when: + - filtermaphits.count == 0 + + - name: VRLT-8X-000127 - Configure filter-mapping url-pattern + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter-mapping[x:filter-name="setCharacterEncodingFilter"]/x:url-pattern' + value: '/*' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + + - name: VRLT-8X-000127 - Check for bad filter configuration init-params + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:init-param' + count: true + namespaces: + x: "{{ tcserver_default_namespace }}" + register: countbadinits + + - name: VRLT-8X-000127 - Check for bad filter configuration duplicate filters + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]' + count: true + namespaces: + x: "{{ tcserver_default_namespace }}" + register: countbadfilters + + - name: VRLT-8X-000127 - Delete bad filter configurations + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]' + state: absent + namespaces: + x: "{{ tcserver_default_namespace }}" + when: + - (countbadinits.count == 1 or countbadinits.count > 2) or (countbadfilters.count != 1) + + - name: VRLT-8X-000127 - Create new filter + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app' + add_children: + - filter: + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + when: + - (countbadinits.count == 1 or countbadinits.count > 2) or (countbadfilters.count != 1) + + - name: VRLT-8X-000127 - Configure new filter-name + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[last()]/x:filter-name' + value: 'setCharacterEncodingFilter' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + when: + - (countbadinits.count == 1 or countbadinits.count > 2) or (countbadfilters.count != 1) + + - name: VRLT-8X-000127 - Configure filter-class + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:filter-class' + value: 'org.apache.catalina.filters.SetCharacterEncodingFilter' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + + - name: VRLT-8X-000127 - Configure filter async + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:async-supported' + value: 'true' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + + - name: VRLT-8X-000127 - Create filter init-param + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:init-param/x:param-name' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + + - name: VRLT-8X-000127 - Configure filter init-param encoding + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:init-param[1]/x:param-name' + value: 'encoding' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + + - name: VRLT-8X-000127 - Configure filter init-param encoding value + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:init-param[1]/x:param-value' + value: 'UTF-8' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + + - name: VRLT-8X-000127 - Check for second init-param existance + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:init-param[2]' + count: true + namespaces: + x: "{{ tcserver_default_namespace }}" + register: init2counts + + - name: VRLT-8X-000127 - Create filter init-param + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]' + state: present + pretty_print: true + add_children: + - init-param: + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + when: + - init2counts.count == 0 + + - name: VRLT-8X-000127 - Configure filter init-param ignore + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:init-param[2]/x:param-name' + value: 'ignore' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + + - name: VRLT-8X-000127 - Configure filter init-param ignore value + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:filter[x:filter-name="setCharacterEncodingFilter"]/x:init-param[2]/x:param-value' + value: 'true' + state: present + pretty_print: true + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000129 - The VMware Aria Operations for Logs tc Server cookies must have the "http-only" flag set. +- name: VRLT-8X-000129 - The VMware Aria Operations for Logs tc Server cookies must have the "http-only" flag set + tags: [VRLT-8X-000129] + block: + - name: VRLT-8X-000129 - Configure http-only cookies + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:session-config/x:cookie-config/x:http-only' + value: 'true' + namespaces: + x: "{{ tcserver_default_namespace }}" + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000130 - The VMware Aria Operations for Logs tc Server DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands. +- name: VRLT-8X-000130 - The VMware Aria Operations for Logs tc Server DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands + tags: [VRLT-8X-000130] + block: + - name: VRLT-8X-000130 - Remove readonly parameter if it exists + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:servlet/x:servlet-name[text()="default"]/../x:init-param/x:param-name[text()="readonly"]/..' + state: absent + namespaces: + x: "{{ tcserver_default_namespace }}" + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000131 - Connectors must be secured. +- name: VRLT-8X-000131 - Connectors must be secured. + tags: [VRLT-8X-000131] + block: + - name: VRLT-8X-000131 - Configure scheme for connectors + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Connector[not(@redirectPort)]' + attribute: 'scheme' + value: 'https' + state: present + pretty_print: true + notify: + - Restart LI + + - name: VRLT-8X-000131 - Configure secure for connectors + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: '//Connector[not(@redirectPort)]' + attribute: 'secure' + value: 'true' + state: present + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000134 - The VMware Aria Operations for Logs tc Server shutdown port must be disabled. +# Handled by Product by default +# - name: VRLT-8X-000134 - The VMware Aria Operations for Logs tc Server shutdown port must be disabled +# tags: [VRLT-8X-000134] +# block: +# - name: VRLT-8X-000134 - Configure shutdown port in server.xml +# community.general.xml: +# path: '{{ tcserver_server_xml_path }}' +# xpath: '/Server' +# attribute: 'port' +# value: '{{ tcserver_shutdown_port }}' +# state: present +# pretty_print: true +# notify: +# - Restart LI + +################################################################################################################################### + +# VRLT-8X-000135 - Unapproved connectors must be disabled. +# This is a manual fix. +# User should carefully review & remove the connectors. +#### Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml file. +#### Remove any unapproved connectors. +#### systemctl restart loginsight.service + +#################################################################################################################################### + +# VRLT-8X-000136 - The VMware Aria Operations for Logs tc Server debug parameter must be disabled. +- name: VRLT-8X-000136 - The VMware Aria Operations for Logs tc Server debug parameter must be disabled + tags: [VRLT-8X-000136] + block: + - name: VRLT-8X-000136 - Remove debug parameter if it exists + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:servlet/x:servlet-name[text()="default"]/../x:init-param/x:param-name[text()="debug"]/..' + state: absent + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000137 - The VMware Aria Operations for Logs tc Server directory listings parameter must be disabled. +- name: VRLT-8X-000137 - The VMware Aria Operations for Logs tc Server directory listings parameter must be disabled + tags: [VRLT-8X-000137] + block: + - name: VRLT-8X-000137 - Remove listings parameter + community.general.xml: + path: '{{ tcserver_web_xml_path }}' + xpath: '/x:web-app/x:servlet/x:servlet-name[text()="default"]/../x:init-param/x:param-name[text()="listings"]/..' + state: absent + namespaces: + x: "{{ tcserver_default_namespace }}" + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000140 - The VMware Aria Operations for Logs tc Server xpoweredBy attribute must be disabled. +- name: VRLT-8X-000140 - The VMware Aria Operations for Logs tc Server xpoweredBy attribute must be disabled + tags: [VRLT-8X-000140] + block: + - name: VRLT-8X-000140 - Configure xpoweredBy attributes on connectors + community.general.xml: + path: '{{ tcserver_server_xml_path }}' + xpath: "//Connector/@xpoweredBy" + state: absent + pretty_print: true + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000141-43-154-155 - The VMware Aria Operations for Logs tc Server example applications, ROOT web app, documentation must be removed. +- name: VRLT-8X-000141-43-154-155 - The VMware Aria Operations for Logs tc Server example applications, ROOT web app, documentation must be removed + tags: [VRLT-8X-000141, VRLT-8X-000143, VRLT-8X-000154, VRLT-8X-000155] + block: + - name: VRLT-8X-000141-43-154-155 - Remove examples folder + ansible.builtin.file: + path: '{{ item }}' + state: absent + with_items: + - "{{ tcserver_catalina_base }}/webapps/examples" + - "{{ tcserver_catalina_base }}/webapps/docs" + - "{{ tcserver_catalina_base }}/webapps/manager" + - "{{ tcserver_catalina_base }}/webapps/host-manager" + +################################################################################################################################### + +# VRLT-8X-000142 - The VMware Aria Operations for Logs tc Server default ROOT web application must be removed. +# This is a manual fix. +#### Removing the ROOT folder without replacing the content with valid web based content will result in an error page being displayed to the browser when the browser lands on the default page. + +################################################################################################################################### + +# VRLT-8X-000148 - Changes to $CATALINA_BASE/conf folder must be logged. +# - name: VRLT-8X-000148 - Changes to $CATALINA_BASE/conf folder must be logged +# tags: [VRLT-8X-000148] +# block: +# - name: VRLT-8X-000148 - Configure audit watch for tomcat conf +# ansible.builtin.command: auditctl -w {{ tcserver_catalina_base }}/conf -p wa -k {{ tcserver_svc_account_name }} +# register: auditd_out +# changed_when: 'auditd_out.rc == 0 or "Rule exists" not in auditd_out.stderr' +# failed_when: false + +################################################################################################################################### + +# VRLT-8X-000149 - Changes to $CATALINA_BASE/lib/ folder must be logged. +# - name: VRLT-8X-000149 - Changes to $CATALINA_BASE/lib/ folder must be logged +# tags: [VRLT-8X-000149] +# block: +# - name: VRLT-8X-000149 - Configure audit watch for tomcat lib +# ansible.builtin.command: auditctl -w {{ tcserver_catalina_base }}/lib -p wa -k {{ tcserver_svc_account_name }} +# register: auditd_out +# changed_when: 'auditd_out.rc == 0 or "Rule exists" not in auditd_out.stderr' +# failed_when: false + +################################################################################################################################### + +# VRLT-8X-000151 - The VMware Aria Operations for Logs tc Server must disable "ALLOW_BACKSLASH". +- name: VRLT-8X-000151 - The VMware Aria Operations for Logs tc Server must disable "ALLOW_BACKSLASH" + tags: [VRLT-8X-000151] + block: + - name: VRLT-8X-000151 - Search for ALLOW_BACKSLASH in catalina prop + ansible.builtin.command: grep -i ALLOW_BACKSLASH {{ tcserver_catalina_prop_path }} + register: search_out + failed_when: false + changed_when: false + + - name: VRLT-8X-000151 - Update or remove ALLOW_BACKSLASH line + ansible.builtin.lineinfile: + path: "{{ tcserver_catalina_prop_path }}" + regexp: "ALLOW_BACKSLASH" + line: "org.apache.catalina.connector.ALLOW_BACKSLASH=false" + state: present + when: search_out.stdout != "" and search_out.stdout != "org.apache.catalina.connector.ALLOW_BACKSLASH=false" + notify: + - Restart LI + +################################################################################################################################### + +# VRLT-8X-000152 - The VMware Aria Operations for Logs tc Server must enable "ENFORCE_ENCODING_IN_GET_WRITER". +- name: VRLT-8X-000152- The VMware Aria Operations for Logs tc Server must enable "ENFORCE_ENCODING_IN_GET_WRITER" + tags: [VRLT-8X-000152] + block: + - name: VRLT-8X-000152 - Check if ENFORCE_ENCODING_IN_GET_WRITER is enabled + ansible.builtin.command: grep ENFORCE_ENCODING_IN_GET_WRITER {{ tcserver_catalina_prop_path }} + register: enc_out + failed_when: false + changed_when: false + + - name: VRLT-8X-000152 - Update/configure ENFORCE_ENCODING_IN_GET_WRITER + ansible.builtin.lineinfile: + path: "{{ tcserver_catalina_prop_path }}" + regexp: 'ENFORCE_ENCODING_IN_GET_WRITER' + line: "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true" + insertafter: "EXIT_ON_INIT_FAILURE" + state: present + when: enc_out.stdout != "" and enc_out.stdout != "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true" + notify: + - Restart LI diff --git a/aria/operations-for-logs/8.x/docs/README.md b/aria/operations-for-logs/8.x/docs/README.md index 1f255b51..75d4728d 100644 --- a/aria/operations-for-logs/8.x/docs/README.md +++ b/aria/operations-for-logs/8.x/docs/README.md @@ -1,12 +1,13 @@ -# VMware Aria Operations for Logs 8.14 STIG Readiness Guide Documentation +# VMware Aria Operations for Logs 8.14.1 STIG Readiness Guide Documentation ## Compatibility -This STIG Readiness Guide *Version 1 Release 3* is intended for version 8.14. If you are on a previous version please reference the guidance available [here](https://github.com/vmware/dod-compliance-and-automation/tree/f81b17bc4527711969af024ae53ab70180ef1c59/aria/operations-for-logs/8.x). +This STIG Readiness Guide *Version 1 Release 3* is intended for version 8.14.1. If you are on a previous version please reference the guidance available [here](https://github.com/vmware/dod-compliance-and-automation/tree/f81b17bc4527711969af024ae53ab70180ef1c59/aria/operations-for-logs/8.x). -| | V1R2* | V1R3* | -|:-------------------:|:------------------:|:------------------:| -| 8.12 GA to 8.13 GA | :heavy_check_mark: | :x: | -| 8.14 GA | :x: | :heavy_check_mark: | +| | V1R2* | V1R3* | V1R4* | +|:-------------------:|:------------------:|:------------------:|:------------------:| +| 8.12 GA to 8.13 GA | :heavy_check_mark: | :x: | :x: | +| 8.14 GA | :x: | :heavy_check_mark: | :x: | +| 8.14.1 GA | :x: | :x: | :heavy_check_mark: | \* Denotes STIG Readiness Guide diff --git a/aria/operations-for-logs/8.x/docs/VMware_Aria_Operations_for_Logs_8x_STIG_Readiness_Guide_v1r3.zip b/aria/operations-for-logs/8.x/docs/VMware_Aria_Operations_for_Logs_8x_STIG_Readiness_Guide_v1r3.zip deleted file mode 100644 index bd9cdeb1f847f0571a2f5168136fe4829f59636b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 257234 zcmV(yKO~SBU{Jd>(@V00D>t07U=*09H+RVRB_(L2_wfUr%sl za$$67Z*Fs6W^Zy|OmAm%UpOv!UsF^`M_*E9VPt7;Wpi_1M|EjrWnWKrWpZ|DWp^%c zWM=GH2{=^y`#&>wl4!Ju8vAY-Lt{z8V8%L&wR9T{M%FQu%CCruO0qYilD#5DH{43J zaodPOX^|ExMcd77`G3zDBftA}Z}2~IM&-%{yocFw+_w&B*_o%zu+3On_ zER>d1uLp~?q!HE-8|fb^Eoo_qW5h?XaJEb?Gb}O~=gtgf#bEK^G7aapShUDUE|y?|Tz6q|R+1xvBEcB&E-MfV)L2$lI2RU|83+c%;*AXvO;0v! z6^rA}VFj@`tcU>k4#w~!(5$SaC0P-H$fMwY`%K8Q;A|sfBe+;ooD(}RW+~Pf{ukDW zfNb!1{>BX17!#2V0U6j2J9TK|FAWV=;9{ z<=cxK7#U)X4Ec|aBdz8-(78-53urpfO|hnkngiVoYc`=_9~l7;V{e3Ah+MPBV~y|= z*W5Xg0dy93DGoRX$6&4I@^4_n-`MguWY`e!LIc@Mo5 z?_~Z8y69FFw|RydUTTySJp{Br#3Zhj!`44 zV@tM9(c#r{P9>;odq<=f?5U5~Q~$otY~`Y}W@N)1=Lq+9P`6!w@;-iM*`*8CnxvrX ztot6FVNEL8S03I<%4u;tAJI0q#(K^?m3576m(y~7O`ALG~F+d3AL09er%_uJKD_D-yyjQ=Hy5 zm=^tVI|Aq9yL#=<5fEL0R9=%FBSE`#u7uLOtYppfnh>gY14r{@SgMC}*txbR1$0+^ zyUk*hgBJWDNGi(B|xwYyAJn0i8%Z3p9>!&RDtti2ZAUxGBq*AIkMQnA%NP9 zjm-c(ghg`bQOp3==cvcou(>hrERJntcvNHr%z{KgVB6U;Cc>HwXoV9M2?sjD?1DI7 zNHjJzof_$%dOqESW>DwYZ^ywyK3yF)0iiwJdi;0OzNQg^L!$?n)lA1PG zZl(-INnyc!B?U!AteSx)Rz*)$QBiB5ww|F8fk0TGX|{-nw=^&&;Nd|~5)u;Aq^8Z0 zmY#!GR#e9Sua{5FkgT|bs%WebN(Dm8qJ(5opUyxFAP6ObLKbLZL7|0&MMTBKB_ySQ zLj4Q~jS><<3k!*e2n&O&3E(;;EGr_XY_vplCY33s5{Kd9_+ByUi(}hGcb6Y!-y@Ml}LT7k*dU^Z!1_ZK#fmSFw6%9$>*~IK zqo=p;-oX9A2M-@T9vU7Ud->}1o43Eb8;9*eK|(0O@6pVJ{ZOO0?(eH1ngvFy(omh^wJY|^mL zcJ)EigiyeFLbA|e=x@dnB7@;g#dZJ<)0Shg#vINb#ut{yjgwybaSHRsb*2aV$i zULJY0J({|bdv-3ae7oPHo7Gj`*4|P+=r)}2#Hy*H<3abx>eW9jt$L^Y;-f#+iM(_- zitI!(k^n16U0ojoWmDlJ*OI+9R1!F%b<&}d(&CIw9ZqCtbY^avus{p_^(XyvvdBM8 zt48rxY;l?v^j&@{X#)eg-U{q|9j(Eu8l7Iu=xF(a(u9lh7|zPn?pSiH_88}I<-3{V zd)Aov(flaub|2LFkKM=e+ee=?ZlCYB{88%GvyC;mi)9|FtD9&3NE8O6&H!F@|DxNS zNNBkNSnlEJqCcDmESz9|~FY;#?7JpGtPcT%{>PNjI7^?MmnJNtW z6{R|T!a?BPkeO`V!^e-O_08f1Nv4^ZoDJobG-mgjc{ARpesDWsP+8elaVaY&#qGkL zu3xVw#C4YbeBjn-^y(j}V-ArQDU?`st|A(|Y;kxOQU}8)1GjFFr1)xYp-_CaP>4rC zZ09F~RiXq5L{+OeO&GWg`YW>LEQY$=?9CEzAJli55P8Ly=fkC( zbVW#tJmEgdQ_Uia5MLi}5bQVPt3o-U#)A)-^fArXR<9b%$~E?zx_ZhlR#{Jf&d@!U zV*sLiD~RqLxfcKNr;_9wTGTOh*@(Lh;V8DD(JT3`gU>@WT8Fa@SXoa7{TX${!GMD0 z;4p`^lHpY|j10aicu4HmIqG*s=sLLl=#?X1O9B5LsdzN$VT8^tM{nA6wj;Uwk{dmX zTA-;bhve?kuGeNJ5=S_-+6cMt^Q)`m48OGuTdv);uJ-23c_e-Hh^UmQ4ittNJ|A`& zAnUGdBuB&NA>ht3WkIxWkON8FUk=ISfDXv+3>XhfzaDQObwY*8` zl#y0x$)U?LV77)UF>8^3oa4VcT_AJ~9#MtOT2ZlIjfbks>B;)+|7DxXLDqKa2b^B> znh?5Xciz}r;QRw0T->YM84a;(i%fMf!)rl&%VidV+8nOI#VOisE$AQW`R`tbh41k| z;PK25(PsxF%F@Mo2*vXTO%_p{-mL{SxyQ${JX%-Dsl3LP@&`W*ho;2Qkb-U0yPV#i zekVUWyUz3cjLGinzw31AiONk2R)GHB)BN|eUgm;dGLx(d%C;=)h2h>VgebdC$J11M zvdM*E-|We#HYlwmugArv@+tjEsT-j5LH}9Aw{@`w2z@rE+U^n2ln7Js-`YV*D;A z?$u9{D%ha#V6)J#8{e-q&%wy|Ufa}4`RU-X;r71Z6y;e>HK*B23-{F?UXu_~U6gh= zwyb|7LD-P1ifM2MeagTA8aTGa@s3XjrSpG={S(xU;iVfjYPWfJYzoQoiJa{PG z2(A#}WRNfMcf)8?0mYRKDCaX_CW;_AZ30aEw3G}~QGngb;AtjD8|oiVD05UDhqsjO zN{5s#$(|d#PiTrtm$9E>nb8Am%Ci0wx$Ya2z)UrxI+$=WT~LR~Dz@|BLz)1nz>|^C?XmQ7ID3r})7QsYz;(zmVhfU95WblBLeR|5 zOQ2jq|AowE?yf9t@5(;&uz-Or&dmK>@Jul1WK;8{2}_upes{w1@%{Kf@B6gN=b`Bj zbBVXvp2V)Bwar2e2##Eq5SmS{O?L}?v*5l@cU9#f*Mp|BJRY!q^i-Ih%nS36->|Z5 z!Q19n@;?e-M1f&c`)`F&Sf(1aF8#EJJ((cdLRKLOU}RhoIt4~1(o3GJHMhex&<`<; z1674qem)QVjTApVjf36TbszRFs*cu4pCKqgl|OUS)K5?DSlHYABs77%{4Z2Kg1%UJ z$a-U`{dvN+UIKllTy7f0UlNqcXi0#ZIRXL_STk8+f4xxVQ{NuNNWxadP@kT=s9PNv znw!p9x!gD+w5s~K?bR&j9hdTCxUE^e4toz)bu&7yrL?re^-!zL)hw4SE?R)BvOb)C ztQ(r9dpUb|VehN#O8e}1|2n{QC0DEy|Wm0m99aot5hsN(+*gNBoKsWTPf<8V!3`6P0E&-O#Tzy4+b>XKr2yl||`c*xi zmoQ$1+GZ9d%wX`bb85E)FiA{7Mwb@w#^VPP9 zb3*^a%iC6>cDBXizjiAOmAm#Gy>!Ok>_g8};49B^EL?g_)-tfO_AY^W0si#qFDXbS z@I)J&a_A@lwD=QnULEUaTG?TQ$dF$GH)!yqaeYnH)@u;e-F)o)%$%$WD z9@Rl`e05>fNzlPvywm?izJ?_Khyo`!bMAdt%UWL%43*|h{rcSBHzua!S!xD@B1$fh zoMWxMUk})e$$R^Jl?IHQPmnL}dC{{Mcon7DCm+$pulT0HYaAeTjW}GRX^BK zkFQjjC+SPk-r_rfOoUQl04^b^>q7uOpk9Z^q>`PiTLksGV5(B^1sM7G%by^&VPv$b zpZS>&96Q6dX#82ZSs<}_#qJO37|Iw4GijCCbz)Hp%d;x!rTO9GK3;hlA&rDJfffZa zQLPWxyD@$1sLR)t431nWE_Wpi>{m)k)2h__dJ_27gg2(==yyTVJj+@*lfTD%R8zwP zm{C;{dtE&KuKJFUicv>G!f+v%o>CuNxct=OCZ(hT*W!9J`;Lh=Ivg_`ZYZdJzs^dg z2nA6|hDec}JXI5%%FW0SbwSSnE3Z`s2^BypbJ%kmmVrE1hW#IQu00;g^ly*DAQbi; zc2e3DH6~-pA(7Uh38Bn5Wt4U3U}(xA>~`2iNhVom6-v{LLk>lQMXD81Ng2mgbfz5J z)#2T?c7OMM&%v$$G$dwst*gaq0;f&^U<{Uc`tjWrg) z6qClK0(%6s6T(XBFZ_7^57JeJy85TL`$u7QmF>fpUlqdV*-y`to;)nY?;C$UVo_vP z;rc0G%Pt;ldl|rOj+}1+koDdot|E{^{+gGXTD$sCj%oXMy6(|r9QEG_ps}*kkqZe! zPMA5v>Ys)JMeF`z|GsXj&z3c2N?-2r8XlJm0>RQ z4ri$VLFr?{3^zF@>=vPdEe~>!$OlEiD$GDsr)zTI_gPGxD5zh;qTJ4olFEygQkHRY zOTKw3P%EkW^@vV7%iS=o6uifBNhTpzG9!g4gM)6`!JaIs1}H~HL^<%?32aWTG=~Lw zXVQ%Grliiw>74a_pWFk-E_FgYIvMHI=p#x zXLG{t1(#k?Ycv%CTjgK@^O6mg$2@hWtOVY;4L5ahQ zSO>g4$_8Lzhe0L`BFhi00m6_|Rh2Omen?e!_YUl@LiLii$=p zt0R9q&|6;QX7zQ>#vMjQ4$Ve6OGwKX+%i|n`5lw{xflH6vc?J_HsccW(s}z2^|V7z4OZCm#@d*KdB|Lir{mbTW!AbXqzUbi3$5*LMxixPhzz-#9EBLB=ybC%=@YD4rnAxt3^ zN$3Q?Oe)77nQ<9yhh4i!_l6Y-o_8xq6&I_*iuFqeckyZ&pF19LIuQ7dS9Sl}FMq4p zN`+o1xQFhZnM9|#(stnS^ke(R-^*46P{_gdm1DQ}C?_nwsS(S`P{pkw`BCdD8@lBr){44Cq82*e}@{s1sKYzQGv{1u$s+?W{qE2?Yh2}c30 z<(C}0u^+cvRW%5IH*8kxTg?DA=d2-Eeo{ST6Y!e=DAXwd7>CV@jzxhuk7B7H2+Kbt zbQ!(vPsK5mWqpaCsFgF(!V{aK(JWGa|89zp{9skop#w zWMWGUFxWQosCN%}htEnniUO7M0qa~S#=g<9z&c@s9ty)1L=G6&t}ckAhHC$}N;DE< z>%|GEaq#ciPyl8d z6ggR!jop!q;GX$w&6H?fwP(zIzXB>(;a+)=RAf5TIncHPri^i>y->a={Q66j5ekR} z`lJTbYNd$g^@UvterJ?n2D1Um^ehP!QijrC5m*C*xiN*?OeHVqEj2We1?r}!r+BML z&P+ZAu45(96|4h1LE zfvmAMl@0Bc7B0YIT$kcje5mj1WU%yPwWU1~q6Ol_UAYL-vXMT3=qPot@lDoi8n(HdTn<;Euqr=zYD8wAE36FaYt)&M3yC6 z?`=AMSL&b!R{Pe?^*!?!J|oIQ+yA)8Ba3__eVf_X#s@LEYyhECnpb3iylBD{UE%uAdW=6&ca36b+DGV8(nNYaZAt-}%ca z-3Se`k$U(fux#W7w+U8p)X5XnN&`+E%Sy>e0?(4r47*?;T?l9lu~6vlUFEw znu@cy?X#?;`~vd^0MDsMJD+rg6A5nxETwj%bs1hdBq8-pR<&_pmcu3nDCV~50Ga~i zNTAUeBn$}>CrLn4&IWW)WXeK4^aVsV{o+5$vLB2Eo)?D!gtZag#<5bzCWU&Xt|M8g zh751zZz{Yi5*S4*13NB3Z%u5Go)Rco3nw+Ar_t6Q#$KoUEAjbtz-@W8#Q~dPMIfh< zVWbBGimSlB#X5GQG>qWSF%K&h5MBOaEL9|f+<%tgD4g? zp#j$^`L?96RWfZ13C%N#x?#$KLACbHT}FC?08)NEw&6z=s>Oo~oVNg6L_W3#9xa>r z6-@$lJcT-@V7s2K6M!FMMbYb4=7-~stbbgPcVIo+nJTa_iZmE~L(EfoRG#1j(iWVj zgr;grtq7{Ll%IX)`@bI;!D@5ZnW=J*KXV_!hPzjm^;$1Z*uNn(kmzKKu+;&uMdxFy z6tcjP6#?q- zc3hkg^3JJ8-oe3MZ$KsY@&9I>SMBJ%Ya1k&XzT3XgaG@_AM1Xvpc|orFu62==6Xc~K9WGY+R2?j$ z45&AJ*rjn1nfbL%VYM0VM39BzPx;6eyG8U6)u zAMg;8(AVqm=?r=^KM1-x987AoU2bZ$3vpESbL*7viK95~-*(DHbD<)_nnX%4*7^JF z8^NZOx4hdclSbzg-UrI_49ad(BimpcPDx4=jVHlh6^+2n78$WL!R|k?j2$}rsRIYn z!oigW*!zQXDW!rA^_``;iTqQ0<7kMl*yh8qQS{}P#<1-eXEi+TI$Vmjsvkex5XKkG z9weCJb#RQB8?bKUrDVj!g+I46>Q5W1)4}C5QJiFQP~HSR8pqy=B_^hVcJ`B0M@MAGBy6?NNX_%trE4r-SnPjx`EpQI{gX9H zQr-Q9-J6MX*t(|m_0Ffj;zAFXD9qMul#zs^>mTlwXjRDbwf;unJfUs?7DE<3R!H>&S#RZ zgmZMqMBCjai%?-c))XEOaAkRY$;n4Pe6-Eg>R$QnH{HA7f4Peu9(R~L9}7$uZ0P$* zXwAHY)=bnWRGvoHlbfTafo-;VK{J~=-Msm_Ge`@@HW$@@cd7&s)iRH7ri>QR)Jqsy_alol>rr{Ixwpj zJMUbTw*ovCtC~H?Q0a`z9W1U?!&BuBh9nRQ>D-DIp-%Es2*371E)_o{2w17eYxx&I z#)2^y7EV6E3oh^iECj$8P+i_ZAs9A)QRWW$H2`296iGeVM}b>L==ggo@RZ&`@ywbz zHvbq8=k+p980iOFI_)`n!K+7g%g0SWi(nPm-3YyOn1SP_uk{tL3PqFME+RUc47&td zs0cIF3H%`6DTT~5iA4JYr5jSn@pFaSDfpN=2r+er(n0&#sVF^ugH-puPW4faZKg-{ z(?=n2R}O$vm1(`8Vuaul_hxpIe*&(BVg-;gcQ?56r~AHE4ZP7d_5{>C{eg`1v`lJ9 zga5ekZpxaZwTlyc$y=!rZ5qb{=j7Ls;>e%a;O(yAT%PL$9ed>ls0&WWpkM-0k{y~V zB$;J_;t~lkkmH3Y?lMC(1^yyYu*^gmg}x}$x6xR?Mz05#d^-6&@ny*2ZmFM)mq+Ls zd~b_C8vMooY+x~)@B7SL%YBT;tSi@ZG1-bIigasRW&1cOPJ>co9d7n>*Lk!7W2L%A zGC}+2Mu@ZlV-51TExpwnT>*XF zQcq;PDQ9ddCVsWx(m;U+Lw(hyiF-ennVy6?Ny4Sy2{|Grl*rjgPQ}yA3QFuu2UL}q z{N2S4&mS%BodhSHcN*1g@JD5E?%_)rD&2>!uDnFwp-W*K90X{ywMCaoyN7?Q+x zqNY$8$szr|&-0z{%&@h3-+lksc7LDGKA&x-a%e8secji6-Orp(_lHF>P|yfMN&=(j zO3@jR$X4ek=`+FZ=UrvfRQ^)4B#$H9EY!QfrJZQ6DcMty{k!jQf}WOHFGSf$D#Ba% zp47D`+x?Pk)MoK*ixuGjH6F*NpW!B(;kt*g8#F z#l_pR4U`mUrH>*OgfEa*e@goPR;yC}^rKw|*e!OCOjD;E#_Qw#RkS>l=#5SsD>qIU zUSKzT3}V$(ek1weQkkt3k?xW6w$UXb-9P7TvN=0aFLX)%Lw^V_c?4cEzaLa<2KZvf zihMht*GY*cw@r)58@`~Rp`RB11hju!1lJh|EiMR{FX8lQojzu-h1gBu8} zi{6nzr8X)bUl5UY927yf&}UiE2!pXrA+~C{zKJNd9{3}qm6S2S2BZb{4fT>Ya<;u5 zW`pZGl2CQOaqA_Wb7fI1jWjKnn8I+5oxuYF@aZ2QVE2KhIrXi~I#Mmug?sM<7Q$uLfLF+RfR5%*u$fG?nTRI-wkNm)p)JyRZv|pZ!xH$Jp#xCyBpW&m1)ws+bZ&bc4+SLM`JW(FhBIyITY`^0610()+melpO(F z&fw;?aee;d7UU5SU#@rj@$wbC(&gbcq~x}cD<%Y6GZre5`2+=y07*bv<3R3R3jG~4 zErBuJJmEJ^#I4UkQ1w3$RVwLcFL=~dxn%b<($|~dQ*nHJ;pN+T=Os;y@u>)Rc@b>X z=rHw;RzC9ctC-_{`;clCLRNwAdOg=LatuZiXOYB{CJ&U?x!Rsxb#!65 z)@?=Eu&#mmrJcw}wWYAM_>G~IVDg7ejo>T@01CW_QeYjGiT=(!K-A!m3M->4yCDs}&KBcIc_XRS5D#p-Q5V-a-C0qByoUJy(PK+vTk8``dqg|*uMTi zc1b9hEI9)+Ip`Q$AGVj^v%~460`-c7r7A?%6h|MRwn(n(adIs6p=8=E&nNY*u}ifa zS=VH)%9$uyJx3bH&Sf$M;~JCC=2)54NwTeGL0q+BmODY9+d)7Bf`cXQe79HC4M0UFxWLQXN}rRXI9PmTKG7vF^l;aQ?&G zi@a^?o(!ayJ#v0^VD#~l5zu#C{BZ`LAdzG$S|&l|`~#NYo{u=#3ZtQNAPW2-z&|SM z3UPHrkum#xhD+H6qoHPcKniZrWFrdE!FVqvwXWB~sTKl`eTJN#`{M&_WN12>%1`7- zK-(1PbzzKx4QQ(#mPePYjK*x>h=DedxJ?Y^E7D5?yH2=AE=xAo>TZ8X&S@;;F)lcp zx=cBItP2>p-%!)*a#~ECOqHe_=K8yvtLJ&#;xOnF%ACLJS%q*s$~6>`*!#+Hm-76D znu)+m4uhADBa5%WOuklrllQG%vm%10W27CBzRYsBPtP(Fpe^?tZ`a#{n|vLTmMr|L z+u*v#AYcbCc>$c}!EZn$e}gg@zZ_C0sGRE)9b9zU+UC96R&svvnL5_=W+q1pCl;{G z+T5l=fspO#$8OmJ5ob;_r(N%cpNIn|j99QMzzYiq!b%yUFPfv!j{;w#1SB~9FytW% zx?ENc_sXjhZBw}ZLu()rR~9!yhC;M&iShZNAOLH#8EJL!~{G!@(WBt$_xUYDDn0 z(7t&SMHFAp7iQfM;wynyfZ|IV!Iz>k;IA-JZXXMwEtD?CR!9(oX%J~2F>H->ErhLr zjTR$3({tD1etPS@x@Cz+M!nKfa5y<}I`wH}n00;*PCNitN#L53lyV`CB4OwU;M5C? zOQ7bd0vI2HQ6r4!z{n1YEm$a}u(~-vGMm9jLJ(D{V41GMC~m7M@uoDDlYHfRH_5c)N18dYxl@cUY#}rO+ z)XMt9?F-|kjL1)N%@%lPAE<_$DxQqJkjr+@X=V?>pl9Lz7k??JdIgt8ar>yZb+;i3-4Md@L<+RKXo)^AAT5O0D zL)j3~)@xpS9r>A=Boa>gybqSIUxfwPg=rhX&10*uS_nwtBV?9gv0(KqK3ARn;#pSo z^{6WJDq@42kmiz7PWtPIDjqQ}SCsd->6P#9CmzTOb=bOmdaqwXb-v~FkjIGhdhkdm zsj)4jBOd9#wiomTf#@FOrT+`eqOi6G;jZqHt7R3veQ7~$Wo;e%2b&%=ilyZaxDTk%0XmU@UY$1Co`CU}r-CbKyTC%|OcDj#=WDy)Pec*yl^7(F{13 zAj(Me5JJ#=c^BNlk_hwD7qxCB==z|<^>h8^>CH%4d~6{384IsJJN#SGP$4e{T6;lS zb?n9OzzG92Xv}RyCGtgSI=ayX)|BY#5`!up$84*B#F|*!6CQE*3{qsypYv91AJE;N z@Lc4fUW8-DH(%EDT6nU4d*q*4X1Vhw0@%E(b?9r$XP^1Mz+dnSB1{cRLE^xs!~(@d z6Xh-FYiLx>*g2Tk^B$*fI3v>*4n4iteQ$3LVfQsH6)hvSAc#8eFX4+}-)hi? zLW!uE+upNb+6@0rUS6aewH-kfeg%!i_;KUxE;3%*w>$_PmZOa2(Z-W00#{`R22a%e zf39b2RYYF88G_O|_L5+DwTu{gcUqG?xcj)Mz?c%}Qol|uCHjUu`Vc|cF8!X1L#HdO zjTz@)^;0d+H_TobJCo#|8F;_E&iPJG$kjc5eQhsyU+8cfzUX(*B^!m604Rd|6v9p+ zSSnTEr=o$XKN0?xlHc6w94;?^Ht*>En;rWL`g4L1RPCzB^&(K#?a&hFt7}j#0nh-O zGzGd0z!$9t(?e5OEa8^{?9_D<;9&@su}8i>T2ZlI&Avzgq_m>q=+_%_SksXr$i52V zJQ2I-g*mn-P0AWq9Zt&MjItMA15sF{Hr{70;6L?@>mLap75c#TI;B~7WtIi$h{@Nk z2H7dTJCuv6CCQq3GYMPcd9qzYZz_h;GSovY)-RvdjTFFl2g%e;8VjgRmJ-A5orR<( z)`K#G!JY%7%M`j->_>|MH3H5I7{3ZaSv^JX8;<%`41gilwfvSS$6|8Gut867pKvyucRZYcA zQW(OSj7}Cyw{BH=9PbDbRahAPX2UckMW38Z1UxE{daN)O!x7;qo4JRR%e8{!TuOgl zJLiFknTc%G{o7{Bu~Eq9m!9Y)`KO#ufL5c*@%f?Y$AjqM#d8DJsb$c~n!AkIwGU=a zvOi|z=#&38u;2cNb;#fHR_JJBdmpWmaW9H@Qqh|6a@pmwT#f#h7aT1Q`X#T3toB>` z;@QZGcrMMH#C#3Yc2lt~A5sC1iJ=6g4Rrt~flY~7_kzDC6j)?wdjv~P#+08BXa(D+ z0Yrrn-Iyh+se-W$!a^}zkYi308tbS550v>z7^8vHo*^QW3zv3vfG+{_HLLMuPA)1h zF37Jj?4#P*nfYl?o_XxoCeBsqeXlfk=MijV&%J(Hs$cMS{|a9R$wleETF7q?mQ^9x zPV35wWg3Zug#I;Wtaw-F-=vQye7-)HMEFT9fOytG?;Fi*X|i%SAgCl<{_dTR?1=tUP0CFSfb z9=LRKoN1BR94w=&1kAXuCh1-*yS>vxg z$wprRF#Y#U@=nN0kel@dT!+M zGNLQSQp+tK+BT&xdGk0uA!)MDbnsMHP7BNFdxOE=LB*xPz&xhT_W8=`5zA{krI4#JB+fKN^XUmkz03k?&Cfo&kzFLDa2?`JFh*qM=b zBis)_Ny$iHrsIT$r$D%;2Ncq=THu;M%cq@7;w@dJ2hyi9>kuQgZYt zc(0#Rms9d85G@tz9J-1gDdlOyxIu60zUp+w5>&)$NehCxEMXUsN7*nr_g`8PKYVJo zf;UIopuBDI&1xK8?2;s^*JX6Sc6F(g?Q~RqrJL|;MtfUK(dx?H`TZ*%tPTCuQZ=7g zTB@QM^-}+96j`L!E58pyWa-6s8r~VOu9%yDc?3ZQv*hXA?}WqveM{7%>u1T$@-~T=C_i4zBdWY`)uz?Sl@x~HrB5gyx1PQ#?5-@_{ z-v$D>3*{XFv7yB=-K58Dre8vI+J&=#ZDynD8ze=6EEld*^H;0|lW0K|+$IvV;V^5x zAkM|MueD%5=BR*oe(&7*l&H(lCa>B6-Wl9=H0YALQ{}h5bgdiEP(gmQBNiqU2w5tW@H_yL#?Ao^s<`d7S#B7c$Vfx?ozr^;9HI_Q|L^ zgi>pZ2)fi?{g6=g8}d}42)bT+Yg-=7c#k{Y_jTOXZijTU;qpy~-hvj;G4v6dRl&9b z|1!=p=>xhN1G-$isXv0GuyH#Uz_*f66psJk2j=jjSZ=6;B^X5WSIFQjhsk7Ukk^o_ zN#e<;%Kd{?Po&jk-6$(6KuYAD7Tcc)lq)jVWP(lPaJH%oE~{NqxHY2vRjXg$y*{Am z0kMTG!eus?_*57Cw={|zz+aB`8>xV=0;F*FgX~>`5JmsR9O+`6O7UMyuNe|g*vH>< zm~BB=J}qQ5*S|b_xz)pLy;J0pLZb80!20X{mZc@0>w7jAINlzJT{?2?$cK($K<@Ubm!1u*B3ThI4Q=&mWVX~3a1c_0qS7>#`OS0KmM{R4w~d? z>wDbJElY?FiUMn^>O@W}QQDs$qF@Uf$JOK1{m1d50 z-)E~A%3B2ZZiLm63pMky`7q1B=BV)pnAtuo(>oPWQn*FPWC;Vi>=ynsT$?z$_J*rZ za!I*{<$dn(dt4=94$VVd@7Y{+ROhUNZutKX1KzCA(3I zvfi?$E+R3Oq|#Tatu{Vb@s7eD4_uuOI)@8}^Qo!#`A z%hm+WW%*3tTx3XUyQVPfypY`SlY9r*GcwB{tT<;a7E^Sk4e-n5LQ>+|r4XcD$Bb2+ zmzorPglehX?VR+OSvq~A3dmcV)wSPh zEgS7N-S>>B!E7D(3+%P`(SU1biH3-~t=drM(7CZoT2WrTV#ofu>z)60kOy$fIUM3P zwK5HEQ;WzAUm9Q-T3sE?WoiZuua(KZN#ujKIi}`FyR9P2G_}HJhuGBPL9FzT3~xCe zW=`X|z~u>5zyj3jRccaB%R>>!v&-XXxmS5 zEvpT$4JCZP@%#L_NPIhugf!3l|JYrPe?K?3FFo5_?iLnBZl+ZwWpa2F_ni&^IPqq?5B)G{?5I7u4y5b zwq5A#K={bO$TP1+9*bGmU{9l#oCKc6L1&z_#D$QCbH(aAk8d!CH>f6(gHJUrci+8x zX!|#~0aRBS-XkVUQZWXv?=C(odp+<>cW;Ld}yp2fTw0>G=?@OnKlzGy&~5WkV4Y z>ergeTz$N4Cb|$A4r#)iBTWCNJ{LT8G6^frC0K2E5uyF7rV_?7Hei$inQo12)gnJ% z5-5?XQ$S}xw{KBZN~J1Q%HcF7n0lh&Brd$kP7ODEMzt%|$<=heg{akhOQd>M!%^*B zcvm*>hKyf;8&9b)PB0U2`sPl)sODJl49TTq0}O)_-@m?`EoSVY0~gP@9+J?ZtAm`P1v4H8`j}KkgVhU-BNToa1&bj1GirW7oF5YumQ% z?%K9(+qP}%t!>-p`7Yw*UoIdk$;_JPtIE7a%wcfYpv+fSod=W86hpbQ^-2@yWF5(Z@=)&^ysXXT z;tCvpaH{%R@>0jOc5In!MEodKWGDYGAwUZ+bylL(`FP{2Be=r?Ig1|T9M+f=rjzYQ z>ArZDtX2DdZLTAUJv_of8{0!jVi{JsTn&RYqNn-`*vU3qm!=F(2ItfsLE{!l*|i{f zexuw!dS%1>*vGCU=VNm@#p@`OBbALKp=6{e^`)V}*9F~NB(317)e3Oux~W^RJof-% z+jQ+HHBOC40E4$!!r+D^>5~0GVrZMpQ%zQG>#1A2PJ*$vpcfHYkXqXOPr8{NxP?0) z$6jjD@uX!k(yu*`_GDj0s!csA=x7v9?)Sk!E*EpN8$^%rTA&iH^;Ad0V_{!-WI!2j zNg-)b-O3PKgQqu$s?ES zK`K62sZnY7o}vlfi*n^mfd9e-V(hAJdvnHm5=;tCsLnQPLJPaq<^AP%mEL62G;~9OZrzLNa;*Q z$g-lxWtOq=V$%mk3~Y-}Gary>1*`{j*Qf_~@6=Kp~yZcB%bKVbm5~|1u92S(`ScSF#-r$O9%E8~`J_)~ybd0`jFSa`?1c?;fyohd%wZ|id({I(;KKX)}L z&`hvFBrs?kc89>mSI~UEG&@ApkGeBhdO|MHJadi2JntV91<|v7 z`rn2DB&qmCGP&%v(HDQhmr#qCmT(CmULEnmtsjBe#`ZDR&v7xZZlgCmC4Q{7!X405 z9d!>S6_NN<;2&X8tL)Vf4hHD$@Aya&r$d;f0pzB7x{6R}?j8c_Q3iu`Z8+SK;o3+1 z#v_dQpbX!&*ofV$-sU$j)DAQ3wgO3(Wyhy2WY*Y^((o$=Uf$WSA?FF-8xC@b6y_?H9AX+0W)Xm?_fbV;2mi!os8HIktWU zJ`cVJAR)aP^ge@UTwbx*_I1K$IfHGM+~)+Hroyr93op}MporucQ8pS9%C;ru9oQ(a zxxkgy(h2Hd)-d%KyopBXGc$p}p88N`1fKmG$DO}p4RgE}_Ty=Nz>rT8D@NB12NdI7 zM3|e-$zGQ?i<#?VE0Bm!c2%y3TN)Lj@+ldzlJ(iodjpT#$JVAcV#zML>ZnxFBVlSG zbJiA?Bmbs2N6G3a{Po~o29K&9N5onuki>LFy4^G-)52Fo!$0LefP>yW)`Cw{tWs}g zm#JqR)CJVE2rQDTEgCb~ag5P7tuyh){b%#8Zg>1ZFcRcuiMz2kfFbMR?+2pH*FN0R z3DbSD*GTpUJ9FRNS>CKz=S%7nrVkJI2GY-4kF9y5p=hHlq*mRzS++dz3>8j+e%AWinwWNY(;qw@Knzk@lyB3CgfePccRBDsJ{QrC#L%d+QF0>=G+b77hjd{;pg{5 zsIIz8-;xp`c#kAb%ki*hAs`42cqqN#7-;f>=}2m6OCN;=bz`kIJJU?#WX9Xk3zikN-!n& z)Mt=m@CM!*gulX$-z6qHU)@Tpp#>p3IIJl6pg#!^%Q}bXDXz$S7!Gtkh%aqYodCXW zPx`)9f6Aym=DdOq{ASyXC!RSv);SAe+%4C$3==K$Hc{E3ZhneUU^pTR(Rbm6(ZDB! z|EN&Z=Mc_Qc7?n;L-*zX8*?o+w{JxDmNCffaXzDHr+Z4np1yWV&q}*|j^si09K_YH z+ds5^A=-ZR*St~OPB20vRj)AX&KpUoVv_C?sm+XUNTQv;mU^fHZ2_OW?WyM=9^qsW zk9{YM^=UX=z)*P)_7DLCm@ekK#+T}SijOO2*sW&LNZXBKy=Uk?Rg3=68w1m(em8AB zfqFldKh@qT2K91=!TGjTL;c7)j>{TsJ4?*T4kOE*9}ukEJF5N+L~8TKv!p4WL;9BX z`_N0Peql5%i4cmbPe*=SDwX>+#sbUcxKT_qXqjpLM9Ok*4uOKd6`qL2e8kVB} zhA4Z!t!^Tf#8?s87Q}D9s?|-dom<>Sdeg}(6BeXc@x5`?om%*yl9F2?yb5UglE6m} z&HayWQK}N#tGlU(tSd3oypiKx$7;oXpdw#PMCxZXa`(mf20`k#>oY4QW=qU=cHX5& z6Xhm^d~2fi!6U(Um*IcyfM*;L{V9QV4Yx%sRH+D2Vz%%(&X z*P*6xQ)}y0R4^XY!t3i4`<2zut!u(OB2%q|gwlvwyI>)Rtv$^aiEGj;?=gnKb@tIp z>@Ieg{KeXX{AK!)y2jWK%(sM>wQIYsME5b7r`xNTU;~_IMiNQ`y|hL7XgY2kV|EG= zb)_86%GDJM0<|pvMWr5E)AP`FYf8jD=)@;(1KR0G#HgdsdJ^W|DN3b5##&4YZHxy8 z0kp&8oYkMwJ7$pgr9k}FMcb-zi{-Nwu^zWxQ#7{jZ__0US;v)d4aTqctJk=_noS0o zy!1K37evdxQnsIKi%VZ+Ej89FI@cSH2s6kr`$iL_>klmXqyUA)?0Yf|rZWE2=u@`$ z@~0RZbC2f;Z_o$QRn>pvi?p=^+ZEfXqeEr<^olom$>mpoG|F#zX_X0&+#+awO!4(5 zl0;2Wv`OtV^7_1TrhG3>;YEi;7cA#tlk)J$N-?`hzSX$ehZn%@4*Hy5`_h&`-Qt@= zo+Jour!yWQ1_F#zV6SXfjd*uATCLRJNmeR}JVci_h?LqD^nFLAS7&uxC?_U&6%v({ z5gj()Ib>DQt@tn>lUB7+7#u``3J%u}-+CMZl^*8CRJD}NxNR-7aJ@=2!Sl*vYX?Kr z{YdAAUFO5YH5G4oM)T^5U6?d7sFXihvg$PvE%zGDO0dVjlq^60(9EfdVX&#l%JO+$ zkvX9lV`+yik0-@oZXySZltSE(y>=jWBFJyR8Ho8#d$G{RPPx{;RY-OiUb*kfjg#lN zBZekiQ^=&kaWtQL#V-JZ*hr5{dd2jadxumS;np*8$lpXpe0FL&KizwLZvGiRX47uc z|10GThsmt$)@6kILX5OLj1qn4v=}3#_p zl1BUb_4V2#X*{e| z)5tEFR=2-}Vl0053pUaJWI7=B_|^4Nk5ddctkM}jt*wd|f6WyXsRd65n=&I%epv5Y z{3H7Ng}r38H0Bk9cncu>tYd>bAj&bSXRL(o3XjaydT3q0{ubFAA<(3rGA;KMzXrau+@{kUE zJmj;oXS+N^^5j!ITJ3pw6kxDk&E@q~6_z2o-OjD|?Ot1jO@eu@>b&q!ovS7Fbm!Wj z6}k4=Lw?e14;p9;_R88Byo&}AjL3*}g-;qg>h6jd2}e7&gGH~2ol?MhLkyak+ZO~Z zib@u@7Bjvm?PNg`IFy)Jr>hkhG1_ogH`uorkX4-Mruvk3en1MlXxQ0b-uC)Ay+izN zl5>xdSDL)9U5*DQf$aS=Ny{vxL8_ZCYW6fw5P6dul47*r{?~`X`?uE)9ai-CjJ$!56o|K z14@hPV`{U@)olWSR&Ym^ky`k-XexP_@3)}986p`Aq|ZhZA;vk-#4L2H++7B|Vkcj= zwQV&3xWizcpuhz7i$sSG%U0MH6~Rs%1=#Kj;Ac#^Cu0f$QIR=ou^ernHdEEI{A!a} zrcr)V)Jqn&{*PCuv47?`INVS>>@|CC=WA-f4t`^&XLJ|3BQ4t?m@Z9x<)8S&6~cc+ zz5jRJ(YcRaW-QLc5qyoDBzK%MK9#g&98aHHp;OWc= zk-L^XR~VOyH$ci@R4b?xe3rHl_$``U9**7UUIINdnCy5(~F^?y~CRPI#XoZqyWAK^V+`SDS% zaRK>BmN?VpMq!@4xm^4AS>C}y`M%u+NFiI;S()0H+8T+I7#f*a%fAjN?N0U&FNDjj z4<`Z^W{&`;c{N}Gt{<)BD=%uTVAcT7+37hP(>(-aGc85>YeaqZ(RB!rmfhkj&=-|E+U`NINC zzl=PE9b&VBr|m-(0)Jmh6BjT%DC{BwI2asUG%f$<3hA3Ft%(r=*dHLwwcmM%mtRS5 z@V6hnUbv^{Ec_ z;Ft3k`HL%)fHp7-}n*5H1H)hz@G3Wf?R^OvhN>G+wvDZfEm zL{u=oGSGNA5Q~3L)v*a7Iqzi+ekP4h44RZd4QGV!bVt<5NQeaMbiI#Icig)wH+-xBNWTvw+>_R{$M#A%vGYZ8n*JXv=Qb zyq8nZ##e4kjDBRMsG66ic~s~m{DHf*_3b>fl7)La3y+K?IL7PakqAoE;`2-fU`t2X z%d0C`L8;d9pZ;)KGliU(c=L2*WME(*r(8k23O)lJD=V3-Y``DLuqdVL^YnHOXH_N>tNmM+kFyUs~%H%cSwJb$`_icl=2nHHwIWu$8c%sg=k;QOtmYgii%cOR|j#_Qd8Gfu33Q)#4ycPwC;w61`d)!d*eQxrFWq$4GmRb zO@yLu6i?fF)c(c_3Ec&4>*HAj&HmHu1)#Hfw(!^`-ap~7EC%LME!{3(?Ch+1;6Wy2 zz@MFmfRk8TyZmapz{iAVJeB=zz{E0^mxp1ws$=ZwL6xP%&p0|fOmWm$t2)$2F{zhI z_ZIdZ?&FQ|$;)&^rc_l{evCIN@+ktp(&|78<&4nwo}6CVymkkFFQ%cV#TC!G%ICfy zda)69rXmu27M>!#H2&3TT5W6|UKOJzbJQQ*BBg;-p{}9?Gj$ubb=TI`j+d4w2eQ5* zJ%C8rJUp&S=ZoGP7Fh`m{V5<4BFA!)fjXZ^l<#U;RzV*b!4IZEQ&kDx@APi++%mbD zokaoLluzM0s{i{JGWdx=E(Nj|F3p^A-+G5=w(!U#o>4$L`P$Xh)zi$YskiOp&&k?} z2`q()e%WbkrntCrHyhxj^9LrQ<`o^!hpPoFWJt!24mMvi2r(1MI*62>ezr~f-_Zds z_7qGPA6F*-ZBd%GhQVY9-rnHoy!&ns_810|pZ#32sE)SR2z1CQp=Qv+9)`9?`8Q!9 zN!HAMRm>)+X&Nj0DU2e1DBYo~DE_~9u8@E$v^Z|DrvQVW6^v_%qwSOq%|GFdM@wT0 z!2EkR^NKiD;eS*duz73v!6b(|-j|II(T=QA)=mpdtK_LtPmXh?B@={9BvS zWzb6dO9mp!*Kk!-?whY*j-3tcaOhsdN{kS6^B#Y8c7l}K&EioCJ{I3?P3On_D=I4H zL%=5|FYun_9}C~K=$3$1dfvVpHM6=4MTQQOhw&I>ZJXIav;`vvtJiM5I|I0~Z+FFY zNauF00Oho6E!>c#XZP2x2Rs&^#j45;YY z2NX8EK_9o}QoAO2MtJ0+j^xky>lRuOFla|kOI_eZ0q*61DQWto2G8ycA2sA!nc)AJ} zt%fxq)Axeua+3Q85iq~f2Y_HJ45E(+!%V+(Vmi%w4|bbmJL=@mNwolIW!#A6uaDj7|J?2R5j~)* zP;b*hJb|!rN&{hXJwA4ez^!djh;P(2r7qvK+2FAo)q@4Q_|Bh1G3aroO@Zd zP#N6hWJNIhEj{{zU+ll1JXBvdHg;2n2V01xj)gEHpozfSd0 zLEy>A?nnFRBJDWFjRKn%-$_YIW{?xf54K#;^V1NEN|9IltL^D*4-Kn5hNMM_nnbrI zfRko%Ke!8Iosoa|dFjg?9q5Zxl5$=32dR~@%T7n2kkOyEq!Qq0E97#`cf*!WUd_x7 zi(IEdkE9J0qc+92r!Q{N+V4ru1OmZ;qbcBfI>P@*;2zuB^_ja5bbRDG`1Ao?-IuQ8 z_IX)Z9Clk>c+-Kg95Y>bU9bArbiX#MVWT*I;ChcX9H5+huYbbPZ zhE&Zm2Q!D>(F&QV)+K8)Dps`7C+p-ZR+3b#$E#iqI;RWkoL2;l9E16Ua%`yJ zH@5D=hLV>=fv{6CIxe>SJp#d5DVEm}6HpBXvm_`03T#_@tF~w4Np;F-Tx>2J7l4B;x!_P-kZ|A?ulM89N)0 z-~)S%HwNBTwhPd4XmDGL8NxniIlPleD_zPl;ptox(sh#Ef5pOa)hqZlG4>KUqZ?ET z{zDU|v#a+W_5?2Xhq!e`)VuRokqAr5ZqFT*YqTy4?t|2&%)=L0=V^lzlKh9yGBR^* z3@+F9R;LsCxDM_PhrAO+Xcn9q-&$ZABw|y8?!_djJ2OD8o*D2@M|~{N#!O&7jgUlF@6kw`zZ= zYh~22L1hFvVK%t}1}$ywJ^@xLQx^^(Iryf+hY!{QfYmxV_Xk*9Y>=+upZsyA>L(%vhAuW323{tR1X5Q%uQ4fLj9q)Ncmluf z64T7XQ9%v)yv%Ix9Z(*I1nl}=ik;IP!-#)}BKRX0dF=uo8_YHdwX;p3+Cb~|!8gb{ z?mS6&tE{X9D`s?^(k*{SKXy;|aE=bca%-b-FtK7_hb4C|aIi}LAw=U59Nc91P?Qi+ zgt_XPnSE8Pdl&5SM2P?De7rMD4Z)QqP@$?a@=W?BdMiEVc|(j(?LQa({XSY-j~B8Ay<&tbyecnO1fr;R>;Q0_|zdF z#HW4hKj%DAXvoRPNGzRuE)`thusZ2I&Bn#BHaDkdpWW*jcwr(l`jDVLPm-Xz1HtMw z5s|+bHn>~8YgL|px}o0KRaL>QiUp?uHu;#ZpOaRLx8Ybq@mot%Q*FW;4G5m7e0bp7A<#!G=CZ76@6{AewA^|47GJJ zxFmJGyz;pQ05KfjkNCfS%>h5JUS>cfG*i2`8BQvOXsBonsjW8LGs(O8k$HsY%1SVi z8I{pf-KRIL6#szpnPTLI8^s$Q$IM3*M9IhD%8B}E0z#uVD9~+o0^%=^L0l)ARP<16 zf^{MY98~!{;5bco(@l?$fMP?Y)Abs1YH7Sct?Klm`@ORBAp>My|=0{2>juI|3gS5Fe{V{__ zJRO(!*)T35DI?14P=oxN@d=6TLtY8l|75zE;H)ZTcpPjVl)jY&0K-$nRB6NtDUa)S zSaks_SMazOSK@#Z3MFZz4=YhxA&puy6S8}3(y+`I)^J??g_zlv(a6LsJ?mdm$_%Sb z)ZGgtbh|Mugl8iwL?q8fG0trKOP6NWf2;>vyl9c1gocMy+H0f|lRFXIux%XDo6dmN z8POG1cdEdA9AZF&;JMbpI%zo5m+CW5= z?0s0omt4z3)H(6X^p#{px4(ot1V7R8PZ$p9o^9CxxwaQQNC(bPfBWEYb}Bviu~j2x z@QLX8ZNM7ewvAE^$-`82N-DuxxBlb%FG|s`Ff{K9i~7|*!UT)*cShbw(VOPB#^DNn zpAoT^X$rV}X=1!S3+6+yp6@8~Io=-EYz=N{;*PXk`9N{ffAj)5hRvD%^mtggf>0V% zH8}~FAdr*9uq~(q7KF1U{XpdOHY~^(KkIvj91FWm!tpRTc}Sg!Q?rnrb~B5`3wHp$ zt1XwOis(GZ%IHwlba+z!t0(6BAJ>079wB(P1^O#%MHb{H0ldxfLzdUQgH}Unmd>!nyGnj7132|y)GJK>rsxpc zRP}LC!Y`c=kXom6#(++&vnE0=*wl6!(6s(^@aJ~D##qB1lwy{=1Q>dTaq{AwKXElGS$6OF`Jpd3_3Yvy#cjE{BhZzYhF z6gs-O$l-Nt{%wb8?5FLUc>Gk5kMeTx2uHZ_iI)ZnFh(`=424~7UhgyKr_0rdI#-?& zhj`n9({Z8j8r;>WJ}VkwvQ9Bv;`ts==gB66mEtqY%7b_kBgB$!H4xl2u%_Dt8Udst zLgmhJ|IKT5?6l8>g!0K^YjW#7Oshq)!eQ&6WLbKJ0Fri3NOWL^vEJ;V5HKzF`iMrU zFt`bf?LQw@qmd#^Cs=Cn-a0ZrJVO2h`)L`4RbF5|82IJtoR(xB>jft^@ksn;Q2z}Fu!qq_NRRK3dd@p~5=9{Eck08`9{ob6 zTh3n7n3v#sn`VbqaZ*=tBJoB`lIeLh6k0+lp(mN)cHuc=xo_XKX!wQk?pu4qz1+C6 z(aC-Qri<(2J;)%6SlIVyC|9mnUeyG={H!(+8wz?ITe$=*B=P7-YZ--`E@qPQnVv)y z_}b9V2w7ed99e~^OY9ma)R+VziHDhB~Tp$SeZQBYa{%>T?7w5UnC>&n{oxUxzDZe_x*DLV``x> zbft{zUlo5svyTc9kp#b|<50Z*^u(^1l$iW0lx23e!59ea{y^wmcTz}{%B!gwIl2+^ zk4i+GXZrpxt)$aks@5y57+AP&D4$8WG3kkFNpM7P?t${1FB0B;`otVV+@Y>RaYXRV zOR$YvDhm&V6EP(5cKWjK^*;L!i1sWXFvbsNMZ$6p4HUUoxSByp-# zm!CYiA&P=POr!HbA~l};Bpf+xPvVg215Q3H;02;hsvlwHS3rszRP{&ebrCZrl;77? zYZEI_rm|mNitlRH`CyYl8XWdUB=}M=sFCx3PXYA(N`m*kcQtYurb{&(nIBNLs;pMM zl4<1;WRS#Yw*rL#H7lHvn4PwGG+x+4hGs|vQK(aOgbGz%;Z4`$c7Wd9h*vlQ`xb>E zR>G&zU~~4KTe-)&XMCrDi1&yDH5_{Dx~)SGN9^7mUTiVCcqTA8l1dEg@_UeejwS3F zz&137GH*ZLSC}I78M)`5*tyk4>-CV2SgR+*fdwJnb$})BgEQxI3IR8yF?_aB&g-CL zIW7@Ysdt1o^YJD$2d6}*W#n-rWlUSg4Fn*yhcipc8l{~b7<5 zUWOiJKnEh?7k+C%uv>Qqa#P*7)T0QZZYnqXDMtMrw@(U+t=AdXqq^6ysb{}ngGNd$ zs)l7r2I1lfgwgRhbvlFZHxeh`0R!-HlJczKhHz_IHmWO>6D^osIa8}{H#U^_WwfjLcDQ%%ADPHP;lla1a;J2|E3cf8+_Ga zG6C(`!C^h}Ba8NB{>W1``Wc`2MUonS(?~)XywOOGKJgPxX#A2+q-*?Ukb?gGNxGH! zJ?okVEO$oNUdw9(_x())-O%J*y8yk;t?H(|$=m(bT4ApL^SA!1^64`ncMl`rrTW0m zdeceQ&;vbicRBcY9a=BFQ$Lg!1BUTW{ZA|&3GmPqH_$+x%7>=(=!%p+zD1oJ1qr1{ z8IW`9Z%yRyD}TW5uLvu2Zj}@Wyo|FS@ckl`nX8!=IXMU$IfNE^t2r)M?lLd8sd#_? z*Cwhq4df+%_s_Ec#cy_DXR7N8f6uC00ZRNYPQvR}Phf5CwiB9%mo}u&=PuOxH>lV6 z7Y57kcW!V%M#K++I}fW%6(N}hH2}F6vhd<3`gZ6{Crg*$T&i$+(}l3@V}zw zP{^;zX>M`P>UR0kY?hdrtj)iPdX#xD&-ehUwH|!o>vNrN;dz8IOFUtd@B5kmXm#i& zPeGvyRX*cnZG0?x)s2(O<;sSBgA7&On3^+sTZ@T-(+>lDE*RR4bJ3QYCQ5K>=gsGy zgjl^reZ)k@ySlYX`g1a#R>a6vQd9@Wiy^35eN7Pp!lAw#%hy>s97a)gBz(+$r?hB;y!I4$O7e;wzi zJWa0ifGPCLK04y%8fsp+yIg?4V-qa?V1E46%H_2AVy+hk-{=`e9d?;O?&AMvvn!u9 zuZF&>fN3c`hDL%MwVqK5zb92NRXhprj`aoCj8^itI$|akG>7=%f-=tl_tItZlyG5KSo|s zLvs9l?ft=v<7OYrs1EN|I|gZ)6Jn&`#;JcP1K%IxVjF_P>bb4A>ny+mmk?qA*JV+m zb@r0ov~z)SxWv4yZ^*GLDmE2EXA=<{6Z|K%$g0E`{iyi7W+68G7q)nx+ISx1OTd2q zuUm9mV5CXH4k5T-uufnDHs`h+WG|NFFEYQntm+GPnX4ojew!MHNN51cJlR0#L%r5)bj^;t5@xF0f6hy+Zltvq0E`BGy=diiGP*-O_AUbLnxQq7mr)Khm zaF2pSgy}}`zOlbmbj_8zml0yxQO^h?DdT(5sKSCW`Y*cdD47UkeJ``;nga-Q|_|^3F z79$J@eD!@tI2fhOZouNI7?byD!Pw|xPI3Qw-{MY^5fK90B!V4w#g-{~&lE&V^`<

XG;1IG>*+Cmi8cG zu;QOUrXeZpim-w&LmB+jgC)Px;P%>8+3zS4EZB!VJp;5h+ukIW95%3%E@PirFs@V) z%@BPPRkIq?t*98?JW_Mz${Ll%u*C*Z?sri`vlh3P+L<`@@gZCS0|v9tTDQ+-tX5L`FK z{?Ax^G%mX(on`JP)z%`ereOa!s;~c$!vyNu?QpWp%Z}#UTl9aXznTy&qO(BI*dbyH zjkKvB@<8+>GFkCSP@7EKaErosE8j!v#jrSU_*`beW8BD@uF$p9^nI0F zV|ddDf9YDr#SSdZoNqHxLRx5ozlB3m;?uhDd<5TTd9^zWT$SS>l0RJ2-C#2GKfleQT<31CrI$3s8S&CpEMNLwFxHDJTS8e9(#^U%!Gdw2jy!v!iN?bLo5H?jm@0Fkjnrr8$jlQiB`g5{=0T?ocMVir@^{olxeLf<>Q)hAg$#LAq(FG0as;@ znNh9PZIUwhQ!c(BFR#}aOx^rqp%;*&R6tqMP&qAmLbi}p`=SQGlo4%R?KZgURc1ln zwPZZj6tz*zc#4XYWc}Q)RSt#g5q`t~-xVcks6oG+awspeP;Jh(IyLd#WG@q5?4K`Z z>U(-_!%<>OI4zhSW45y>YqhAzbSK~Ws=;4=tXIgwQkB~Pf2Uf^fQj6|ROHO+Tr&YM zT6Giyg?L$uYmR8| z3JIhr|8>5xc53P{wwRAf`x87eK<1TEM-@f7y3|L3b+hwZVVeb*!e{cDv!^VKL}dUn zE{J|{OXe3_-Z9$j5K`x-(VwG!t(`6FcU7-z%o)MDFx5qTNk2DxbL#*;yyn0u58yil zB*$w8zpY#p()msZ5@-hy&qhyidWX-$6XwRLS5s}tCcaceX_eHHg*igw@bCYo6TYPL zwr}|`m=G#hGSz-VtMN{38rGBTBwC~kHXVPWW@t2#bd%D>MBC~0i2I20>m#<#l+@{Y z1I3w9^ek1|FgXyvsmjJ)47AIOrj`D&B%}IZY4baUx@aSB(~9I?~b_U4n;JMgn zM(y((P_Zt& zT?{{-L9-w zDU}_Z)L#?7aeA9JBx6MNO`=f!%x5r~XYb=LDCyjtng2Z=9ww)Ce@v2hHY-=Y>)dkk z7&A1Pvv^dhDNZ(B4LrxLie8QMh<`s+EbvoHaO%l~R`AQ$RX7!mmE|+o<8XN3?eOEc zKViKk`V&}FQy<@`RkXWCotgl!7gN{7n`wU2i+~YTxaki7G@!MlQh%Fw&4}GzLZ4-I zc;!)x%wzOo%y#wAjp>q=g@cZi#UuN!Ul`cC`6=&vjaBh+PCA0si{H_P_3OskA=j*I zCC~kOe1Gg}FZq89e!GMv_J1E@d&>tN1J{RlLd1@aSpWj73qR({+#sR57*A-`sC2Tv zwQ0~mePn)aTu-N}-Y$W=tIMp=KT02~pBKM1vVQG^gw$_MJM!{Ce)o5p)dpm=)RYxg z-(}0rfs=e&XZt3K;Qfyz;Bm$9{;pK z^RJmXj{M3C2=kLbu`_tW21BxMJAm&r32zN-Y!I5?I=1tFyK;ZdANu_q9zGZx-sE$- ze(d}>f$!ugj(`7a7N8lC{yVJvxC6d@5WWex0>HoUYW;YpeqT2=%v?Q3`*ug!oHEu8 zn>OjKZ29KL=7=Wjuoyy=M<;-3Z3}TATFO~(UE(@S6(oREwhW`^C*NOJ&trCkKCI_? zDflz}BX;-sU`%7Qa>^{VZ?>H|raJZ?i!J4KIY1Lrx3rW~rAxcrwRlxZ!t#J}C!Du2 zZkDranxvCRPW9dDcyTT+eeJ#WI;^d6MMvkR`YqTIW$#!lK7Gyb$)hutc{T3yxJU+u^Qu&_J2eYRVeHa9zVJD)8dxjgR& zj>Uf#9$BLFe577})K(h!DaApSs#N?{TzSuKJj`M#QjE12%&}zCLVDGPpF%U-qYkEs z-9waFExuW!uM*(DW+~s+3<(qE_)S`82FWEA=_li_NM~j5P`Kj;wAl zJerLYsR5OhF`9Xb6~o1$Ld10RKs^t!^4`96)hgh+K|I(v`y{8bH;P%=Jlj_T{jO03 zF<~}Yg9x=i1AjNcIz z71ci;Fr}2k&`J5R$RZOO*?Ajik)-10S{HW6$k>)Ph}MV;?gOVzYL}0aaFy8;uDuz> zsRW=Um8fLUwY)5-y$;}41W8z#^Ou+Wsfzo|Ty!4bv$pZVwWP&>3Olf0U`5J_J9p3{bbF@;_k1@MbMP3N$T!A+wG_kk@t1{=g3bmd9A%P_xeX>!{to>HWjakuO?DxHAdLibc=^({0qsHczNn3Aq{+|pqkzFd^L3n z;!XDR<19Wd@9uX)df*=G3<-yitUjtbY7dcqlTh=MBqQ8SFQ_~8I9mFN!7za%mm{%i^q?<(U{+f9ydY1Q zS0X217pMWBsbjO&3)8KNbd#w!@oUm;u4fHp`_ni!5`!`(Q(OZ~kJP|=X=k{3u1?z8 z6B!rn8dOT`_%4@IXD?jQ$cw_= zE>Umt!>i)l4I7OAKA3le1{!SHdkn{X1VHSjomQ(KzMv?M3*V$qM$zdKtgUtW$305$ zoT2J%E9hUzsfL!7KF!?KQ1rsO3EZprNI$0&1k&Gs$rVj4{$vhZ&`L7R2Mw>ZoTX|%$xfdn4MQ|jL*cI&1 zYE(h!>%I;e9p zTO`k-#~rRfah`*{yU)EPgbf!DnY+lZ7Vwip@Eh zXaPPbC)<(o(cDnAsmZ9t$;!T^cM94|CsZj%rBKRDFH=ZkU592t5t~1U>!T7Rue`o5 zJFJ6Q9BdEeR?J-3lqnp!6oXHxo4DUh2 zj5xJ&b5_ChRzT&Ops{m#zgxGd9nUgSnPJY$_^K~pE>hO28^eTRRI^I67^m~x1>u-2 zJXo4wG0OP7oGMQ}=3(20hWTFWBP@k&eLiYQ%wN#IdN+&Ra!%kpxfClToGVlzb$MDh zm9^f4%+`Z`g!g&$?uTJE8AJW{_Q#Y4#f7NRN12Gg&wa|e;OdDgWM3d)Mw)hDjzd@( z5F&xiHZx_0id`qlr9D4}f|7>pW41fZjk&>0Z*2kLSRYe^qC#wFoa$#J%tJ{9alf%i zH&T!MH1z&K%5Gu2;=F%7#U@t6DgLVil|<#CsG-+Q5B_Z?p$#l+ zQ%A2%aGv0R2l6Z9L}&f$sLnFYqP?EtR|r0IX>@>$D(sv`KsL)xN+>PAu{extt_8^W zCLrDNhljo2p)Pdg=0uG?x`sC{pFn|;E&;(E0F<|bfX7?*3zX*+QceJdZLi6}4paZb zsdMG3(%p6r9T=N00vo(OXI*LXI$9iz%LVm#jzG|RBz(Au{)1WTL8sw(yx7HQ@l^ee z?n=UR>i&GA!r+8RnKPwN3isf#S`m@2-SHP3uk96^moI^lC{?UCMT74N7^^m0F2?Mv4BBzGKv*4A0Ut7WM)5(UUv^IUGk z3Yi_;QRlOso$pMBoP&{m<2RoAo)L32Rrr-r&R=8<)gVOL;_X-dWab`% zcqBHV$q%;ab>71CR|}Lke=LKP~4=s?#58LZ@o%I!vWcbM$}vb zx%-kL@)lN3BxQ#u#)PE==g`=V?4S&JH~@|diPf2fa0z~%Q<~;}%vlI~sCMeD7;<#h zW6fZnIpChG60yB>JFuzdLiG$6zsVW#e#@uXylKH7kCZpS$%r=2p6fMS?m7ugRirV3 zUvD;n|crl7aDkU7{{-p6S| z2Kt!#WfPYe@y-x)>gJhzZ!!D|8sQe>yVHpD+cbTHF!FDffZwK47>m5A1B}wXQRlRb zcBfFd7*FOj*&oOQFko+C<+I1uCTj|+^atI>psR;XD7s!*K$e#DgnjrTL~BfMo;yEK z6{-%X({%)nzNsv>KkHzfzN~ao>}h!k~ju#6XwX6xHQH@=cC!LWhM9+ahX#W zNmV|iK&Z*M-Wl*o~Ytykq1tQ4#p7 z?1^B17secmH+}bbRTQ3Ol1ruhSd>AD4qEsf%^qtLkca~B{Vu5Qb-ZTHd>~L;ia!e| z=}Zuo;N4FCSX-d$D}gl*x@f{;m)MvlEGu*$k_B55zERuJN zn}~2m5J%#jpoxC}U{_)-w(X1}G9CXyLSDIm8xe$GVOs`X{slpG?~MsK!-6)~(znPp zyBVylZQ>va-`g4S*Lpz!v??o%1tjc%2UXRX(vL&$c!C>B?nDK7su9(*t+V=(KeP8u z<6*NjOKa)C3`<}RjR)hhPdQwc`DADmRbduxIK6#c@o;OsVyJ=P*f|5z^68$bfZ(bBRxKVZ#9+~2aA6%&8 zRF_fhtQFVx=xT@8{?^G zxqmhNmCeDIB11Zr)$b3lLT6nssdN6~e zSq>}Cxy@NU#nCAwqq1lf4~)7kZ=G(?64I}f6Aeo0QNwz(X+c}tVXduiyqSmrRMh6m z#T2Y-;7>lZ7E?-tdhCbIlH(5Yi0z;Z@L(y4=02c-8RHJb9*Ce!O=&_hqs3M4X{$wZ4lK7$ScD6 zjLK(=B3oJHbjaeN4dfcMI2~C+d~xkRws3l14Cf#4Q15hk&n0hF z^j@%A{47^;4w`Phj$NyRaNcRa;4?nm!RL%ObU3y)PBPv1Cr7!cobI2G`qLwF2rh`2 z%+0pa51P?yKWQHc0wDX)Ajl{zrNfH6gC1Av$PvPmr69AW4e2_YlM^9sq}(Tv8%Ww2 z#Lv*JSeAPCZG9z7^ql}KgrJBlsLC9azEVr9AgB@ec+$Ls{la*#A9)~sWg=F>3cNeh zustCSb*%)4oSahFEht7>b3OK_GkYG04}#yYGRj4X%o+gK$m?!*DpeZ?7pfv{E83|% zs;9`@-?6kvFS^5s8BU&{A2#Y0&0DlHwV!;1S-{|mgiK=zTB_^~p|c+z%1~&CA}e84 z`??iHc$w=r$qHhWgTM7v{tk~ts8ijU<;kQpwsVhT#Ni#CE_tQqk3GXut#N{@$|@@E z+hKH(^^!6i9W%7A{pf*FaFj^Rs1mJh9tzt!#ZNF)rN{JMskgug9GF><9V%)4f^M4w zsP3e_xc6tIF)SIn10DL~`9_i(18HYLGdkFJdx@v!G&3mr5h^_st@3E}WKeD5m-A3RLu+INoLr^jWm_o>$0`zrn1UH=U<%)V^3WmH_RVmUu(c zlGGbY-;~T<-#D^|!B?^6afBMj2Ws*O_hh!xPWE*g!4XV9A#PpF7Nt|uwQ>vUQ!QE76O;S!IM!QH4ZlBN z(URPTlN%HAIUWE$6{jzE5(kS`$0Z&ik{`QyVwf1(#{?LXv`BTY6_R>O7|V2-(W;nW z>}c7YeAJQm7NL;eml(WxP!smc0^<_m(A0Q~%W&O6(Zc$^tD2V7YjcxKJuZTZ*wi^G zkbzV2-_N<4#uY?D6c{=nI9&$OEFeTfom<7ly^wTo20NAerWE(R)viUNY+ z+4y2}Ih{n4H$5r@i?TEMnRS6wg_8M|wFVcKTpS(xXvt1jYh2}ehFn*8ZYVQDReYjT zU%yXMUfphC>r!%bb~v&#D0%x^-G9$3(7sQj4I7PYfV!wY%eo-x@y%SIi=s4)Y?2VF z6g{J3oN% z#b(G!#Kd?A!dJ=tsCOkCsk_k$-8>bz9wSgfb0EIF5anYeD?PCZhdTx_nVrBJ}o4P%Do zXDUoj8dsx>7c;=LPkmry^iOH1!MVJa!b~Z#33g1|^uPShofzEHA2djBT3p(#&ASydAnQ1Eh0)_@Rww7}DPf>+MbAH~rj$Yxyv@N^dE@qkXz0k# z`7g;dz&~9T|8K}Nk^kmK|9?TJ{l29CS2_&<_$LbG&&$^81OS$Qq|*R@y*l?lu9#!SHY@(W)q z1dJ^I3p5)e{eO^VWBe=DjDMwo|2@sd#02;Unr%>1-EO`P)$=O!2@F3c?8DoY=EYtK z+D4PP183~ULwmS{ONp5LmpZc^=eLFs&U zWMO^t_#XBs@vKsNcsP^Zhv!2?H=mZFt`fLOf-eMoB$JBrw$an0yi8hJkR8%p|B!IS zu7QoG9S~Al)D( z(%l_`G)gy$fJ#eThnswPWr7m}89pm~(BrDIWwY z;t`P}bGtsg)?)YmPIHn!_w8I&OY=(|6`!$bHI^I9& z7sY5Qb;Eg+O(%Q(-j)Ra?1N}GcAs%yEMeS$XD+jaa%IUy?q_d;Gc0nl~Iwz zNV<-qvf|A%X=R};W?BRCITc^ZuOkT6{K2A_b`kM2r~%9LpIk^*@UTBA2^~br@8uOW zJXyD>$hA&pP=Sn94hAIT!-cjuy(}2oC$Pw6d9BNM?*h~4li-}&@0V`MxC&s%ub7FE zZGj;+%u7( z{oK!Bu7FFloQ9uIjLsl0(PUGai0K$Zb%k4333=y5mD!rw)6{eWVLCN`7Gc|&rwLza zEw!XX2m2pY;|`H(sa<-tPo(EHl9MiFe_4#I=KiBsQ$Bqm{UV>n*Z-1ZHOw3}Lx);H{D^qH|X0Es;rl`}DD^g}V8xQ29=Pq)zmAZ}HlC zub7RO^%OPq{pA*ebiss#bdt2=36j_oGI(BJ*bCmPZJKv>lUgPZ#VB^8@%b9sU?I(H zP1=xP6NS@o(}j|>aDVp}(T#uS7EBK%VR|Q0+rxWjNs2rIW4o&11-~NiMUw}-CJ+4b zbA)!9I1J&&Ud*XV4Ef(N>|~Gh4qsv~cX&U@l6Aww(BrlJrDY4Y)plGnjJW`>2c_2! z%2UOVx%_P=i7Jd{aeEuPQ$1={Qn77$KA{FSTWXa{TE8EF1Ya{Y)qanp{~Au=GXW}s zA`jNEnpLVsgqly_J++&-N2q;>J3Tx{59ch4FEkrE zl5Jh8Ru;D&>8v<3(|Z5?O8c1BsKghvLFWzwhAWLhtJo&H2WD+gw-xS9G8m8$qf9vR zAlqHidV_JvX@kfvln-6;`9jyB@RQm%1**S(C zJTj#-oNa_8MV!nl_v_s7HMmtljZZHde*7F@nju0_AINBKBko4mrys^$7gW9ImKa}p z2c6*h*Iu~?YW(?Mb2(*hjpUK6ksrA6u;1j?eQ0o0XsAMnzkr30jn5p`_33rS_0W4% zY+GH-lIv{l4jd~|q7TTi#Zvd{o5Qg}^43@gp7wFa(%Vklh`8W`(LGa-GFoLa;OXGl zq>!*!*ksDt(JsraFm#jI>lLoY^b z+g^6CDUhrrA*?4yhY48)H&PIok7Yl<$SdeJ-MJejymf1u568oc0wXgyFle4XkeYpn z2U*l(z!2@aoLb=JLCJ_4J(JHl5)!;07Dy)WBYVEMproZ(SI+QWCWSxKwR;;63Ecf9wP{f_Yz9zo#L8a*e; zuGR}IN6zd!vVEg(eG})Y`K6)NUwZ=aF2__xNKQYbXR0_3ciO=g$wcrDe07_$ywiZ+|jAkaLq!caTC|A-SYWb z6o*Y$-BU4YuT=*3Ol!2?e<`O-w409O`dfQ}NUIxkg+X-ToX@o|>>@9Biq}8_3RuY| zMCx((`Pm)hJ+TcQ-HJQNt%W=;s2mYP_hFmM$gia!!sM~MtuZ{<_s(rQ@G`n(#-+Zz zB@ZpqdfIOeD-KP+J~8vwR6UA{jM}% zQsxHgh%_$`c_TV%KHJQ}Hrc~PwJ>7%eHCt<_+Mr%Re3(q6GT4?<>HHDuHYBU~rSms}0C%wys6!%4g8fw5@ z&=U{O@|6Wgbk3I`gdu4sMfrOEMfLdP6d_k4w;N2({v$_BiEpipxx_HcO^8X>GuZA` z&KG)TZSUNQuvyamSfzIF%@?bi*Tg*Wn0F+Dt_XR%X>!TDyC54Srv>Gb zitprC!f+_zY#f=S4)h?UewdV*v}vD>=QuZL{F(HKw(c2354ns%BO}?ecQq`VK(L}i zUr=716fYuwoK?`SScbjPHiG#v8Qe%<=UY_K;hCvRGVg}0awZwr@~}VXI8JqyBuwO0 zj}r5WYwJBnw-#~gZ@Y8hwW49zp)7ZrX>eER%$NDARf)4r3wwIK;>DO19t8;&I{OI8I@CG3C9XrgW*>%UtL0_Cm)rXel3#g-bvMCBPb{tXX-+Am zAdk`+Z?%a*@}qiE9+P!S9QQME7Ujk4ckhKAph$D^^|f7l$XzC`Iyfu!*#%a~yw`6y ziX%=7)l>0Fd*3d;w&!y5Cz)psCPCSC9y9dZmd-=SZ2NlSByi&G)<})Gn((b8 zaODUDmK@a2XqQcwAJ zqLZ^*-y0|MPH0HiYGCm7ugNQQD^yEEr&tW{-Tl(d*TFK4^pK1AqX%YX^-R8dG5Z94 zZgXn?M;?k=fq?en!^N6eZR2bM*=$Cs`R?@Kex*K2Vgx7_r;?G^!-@d&PQ=uPV ztl(@lnuX1i#ZTYUR(P0IR#0oDiG%Tde#UDrIk^_$ojkjt#gSrp!W1&Zvu(DDooT-K zyUDXsI;TF@V5JDoB&|ey-ncs?i+o>EIBzpOx5#1Dx5nh=+f)-cK$z6M`Jk=L%DMKV z8Iitay=0%jTlzq&aNVg(hfR`N-bPbHDpSgG7cc0AADO=R(p2_hszjj(OUAhVL)Zl^ zySw$P9fseEjdC*8o6WNyT-Ik`^Mku!O<0ESF3xQ6o%{ybK~P%sh*!GF%oFG9Me*q@ ziIer7QIk-FT)RE8b!pO)Ive#*mNAlY}lu1?QFLXcE>s6mra{ZKK^h_>-{R}g zVYC@)y0G+avVK4$^!vu63?*!;bQ~u0+g@K)WoE5Y)mg8SrfzfIe53ptQ?^2ngp)O; z2VZUSb3>nMi~4H2z>D1r4jds2QfXEFiiq~3q)f|(e09WT5@Hwm=4%If^dC&R&1|iE z@ditfIUsT%5K7PV-lL5$qp%7hx;Mg#XPGRc<>c!wrKo@%Ey=w37Gv#hx;#b$?nNoQ zLW)Y6#%RO61Zmamr|`RN_RlQwrYx~GZsM6u?vEh)AdhQP%by`zt;wj73) zf%_X>+}oVE{MzF=b;@n>la(}9iEeP`H!yr{(Br+u67v|+ zG;g9@Xp+jYmT$6vCHp;ejc#V4Tg!OaOoOT)sbRLlEuA=|lfOE6MTo1t*4-kMfuu^X z@Aj*LmBF&-QFh6XP(u|Gf}qX>#L$PW)_S#eMdEHbC^qf4tBoZhES2|P>ACM4-|3;u zXOA8jupW7T&6LnTua{I$NSaXP1X$EifwPfX5>l@aJ*5?JU< z9re!!Z(gj-TNp4At``vCLHBZNeeyAPLD~d8x^ts(w}$QA!1n8E{h4YF$s1LJrYq&{ zSTD6Qg=V-9KFlUQyTieDUAZf7S&jkwg2W@i>j%jk7!yYu$3nwWE{%1iQ+QmV4?QCk zi_||)8I@po?TSv)dMZWK`P>~TTl7>yFHO)IqSy)AE5^F(MZ|s0y8vg{i@%mfw~^?! z|E8#-p4jUFqZU#4_lI9zw_O&mIF#b7Vd;l#09+t@-giL zg{i1Lq3{KWMLBY64Hn+^NEB8R0qaK&pXz8$&)EHUp-9~HL?MR}Nb1DU9a{@Hk9Kiy ze-Hh(EE*{VL<3Ld%vRB^tgi1v4ORpD+{$W}?-gt z{K`bBSfqar0Y*Yp3TF25V{ZJnw?^29zBxMcIcw=JEyzFfV$I8{ycZ+LuvC@Md!dnv z!7_B^B^#-7CR2gcRg3pQaaG-W+X)d25?o5F^vGA4NtM~1`es}CzTVCtb4KUuYJEK) zQ>rKCQ(Ts1V1;{SUa!Ebw5$r@onpar^CJYeFpANM36=uxPny8byO~;Xwr*i71Up}J zLY8E_$!(VTd!xoNEf$jWXVI|vi}jNiGSsxYnx;6O;oh!~cHGsbmR=gqaop9XwnUkW zcdY8#Ls=&h%`7M|x@!JD5BwSH8=oIc5%hr z=PIhVEm+Ki?-LSTn@lj*&?0FH(pi2dRHS#^oAq8+g85!`fz;NzXYA)`<2YXI0b*jV zHup9!-q1JqDGq%^qpvJ2)@pP_2W+BE29|x|tQ*$zkYgaI*}m`i2<}6|9z9aI#DV2} z52aRyNBcK@&m{c_dz5RDhWO_ZH_*$sTrMVavpKo)m*H&6vQDrK6mg?pl57*V~ z(4Vl`3SR!g>`ctELfL{V;K*>zSDV@+R_&eipy4g4E!v*(`$G9`I4w^rKF}~$eZ3TT zMF0^mFRGII;5&99O7DQp!G=KB%03IOlJkFb@8hwrb$Rsrsx!d7nBqr>hAKJagnR>9xBWxu;D z{a2{{`Y}HOKMF4C0yX~ybbs-oK76Mc>K}fn58qFp>GQkmEBOBK%AY@~#o256^HK=^ zS_$r-V{cxeAC=(e=lM|yUIBqie^v<c`DGERT&j~niZ`gBD^8z>rp9ai+ ze>%nAW&QtBdG|k;XiGXeI=Q(T0dLU>b^Ps!Tljx4;^zP5?frQ<;ZGuNUIF3XMBK)k zPA}!~jvd>N5w3*E)-GQD#2Q9PUZ7~gKg0jA&eQITWRkUV2!}A<%4GYuT|vGtv@9A) z%*8WAvDPk4qM{?O1}}&U84*mpd{cNfsYfyUG;-+3Bu`I2K_#@xxT zG3R+Wg8ZOl6Q1kN70QJO;#a;GAN#seVlJ34cFga6Sl)lD*iHMDYe17U*Sj;0J;b$# z7q?JIKSE8-_Zw^S!;IwXxL>hn=tSK<+`Prx=tZ&+>5ca|1?5V`5NU@Sj~44wfrcxSf|{}Sdce0dJX*pu>cMvljW#Rq79UQ1&1H6t z*LM*I;;D(8+pXQ}OnUiUQT5~BBPFw4=Lz%J^s_bQ4N-AEV*@!zI;Q zn)J7(si24^t(a+!oyU8mq0vR-(InQCq3(1)rwU9sJ3J@UZF)16>;- z=7Y!?AMr(|TdU7fV`}af#2u_}ZaVMa2*xn5Z!5W&&|xc5iVX#*RO&Co5#wZhD<9OE z4asbG2!1eXXf;YUMu^Etb)S!ZvM8uSACr+x zpxWiNKMf6~MIJXOWxuzncj^AC;OYjF`^AUegaPv8BT}Pk@1u%6qhDpfks_G~XAluy zJ-8fHm@W7zbmngG7q(=J$C#3L*PB=_3qC3n?Uioe$WCBz_B5(snPEiRyFkw@0CDAJ zPE2T^UQ8&tV?I<7Z|?7c7PBq*i3bI3%&EsJ!Yiqb3vK9fkau)B?&!ls`CanY(PLk2 zO7A_w-RL5rlE$7)`?f^QGkrMB*VDLVe=LfsPOj+pdflqNK~$7ZAilzs=;>$kr#aVn zruPPF8x{EZ;#7EO(%j;1-+RT$IW}p>+U%tm9sTsSay3@R%PS~Usw6S3BSQ9!iz^$PhOxfdu=$A!?^iBi6!cJn6BViLA>ISx@{_jO@6^`l5C z+qu2oEqk~lrD&rfb?d_LF3NYuZn!7j=HC{&)ab6_Omg^o(H#n|n{Sh>!l8Q>ertNT z{uR@Gj}<9bE(cZE`9GVjsfPG~$Z%4O3%?si`o^md!^&F8u-}Jb7V+Hx1ees+1FS>of0- z0vnkn-4c3uRFQ=AtR-n(jd5_UtnSfvutT7&-}+VdUqou-!dr@Jn(g-Pu#()qIcz|B zH$qhJoiHWBB&YbAZei2M#*Vrjsi2bh#Zh~u2Nn`a7O$m{5^^pZE@Xe>bT2J8clK&_?MdSyaZWSPqRiu!AZ#g6A~Zq1a@aun6eBFUt6TRUGGgXXIt7bOC< z`zF~hT$g2iYK|&~O2)3;v&d=_e?u^>Ov}MTktLaHmg~lqOPpwltm8`7yMYIxs-NdA z%x|V^>~~_#VzRlAzUc@z&{VuozY9Mzj$FRYo5*n4GPXEh0xyD88;&xh=F;a8X7&JE zujx^ipsm#GsAl)NQ23Y zx-#NiP6`(sh&-3NWBU3PJwJZ*&GlS2+hR7vkCqhp6y0>82Mh+Qu?J?ff>XzMBaZw` z{CL5U(dgNsLPD69vlNkNQe9Oj@Rg`H9Q;+so?6^Kp4+~voxn>fsMumz&*F#1>tv|H zXWJBT2k$QXN6o8WuPP=fYiCpoq<0-Qy;&)n3cHAKjMrRx0JSSPM1S#?vMJ8&SQ6fk z##Hc_@8R`4nc$hR>W=k(U2UG^rpw0@WG*~xm6`6u8#zJUQQdQv6w?&7q%@Kv`}sp# z1Su@VpCpVhI?1}N*Kf8zvk8q7*XW)n$u%wBBll{+GoHsu?Yr=TAD34uT1t-I!XXC3 zHPNdjn0(YuC1H^LGN;z!JN&Xl8V@8=9Feu3-?Dy)Er6QqmJL3s#vAgsUtLX-?w5zed8(?;|Xv*J$G)T{CD1 zeTMC3KXNLQuUcSvGQIFj*1r}M1{GtYc4Q{40OWFR=GALyb`N{8`KuS zvAvv)*6W!vceAQif{tv@GWB&#^jjtKjg@;M6-0Z*JQZ)f93C_YAOs?^J(S?Vq1>m4 zQJm8^wyU|7QO$2}{H~iSd`8_)82+7IAn#P|p#&)&Tdn4w}f;rspbz#!2vd7CT52C0Rq9ju-F_KPxfh`~$jfmM z)8iu6(%@O<37%W84wLm?x=-x1X(mZmPpqg!UwYqAu$QAQPsu{gp(5_nihzuRU@zy| zRZfB7TKCCbH(iPXK%+%#v+7=!V=uS~cro{o^IILaMIV|UxwUz;8AC^0?(Yqu%uZ$} zrb_SC;eT}T33lkyAC}jeHxC@X7(MU}_nS#k9}}CPF=olUWb-AfE)Aj1at4eA^?2k1 z3cJ*IHKm_g3{S1siO1?Ku^BfK(&P5vCtH(s{PH${RwHcIsJl6xvOodV?=zzrKj=uE1mb7_EK08+D*V zG83SrOIWrU)$(vdDvP}jdxLOdI5c5x_Vb;YRh^j}dove9|67{jG;%as0j9-eQ6i%L z$~70)t_)G~vy|j*BENjDE@UXgWMJQKf?@NpH&V=2aaPxU?UrYb+M(7fwJj`_FRpRu zNa*6p0(mbP@08xPN%(p|_<}|S!&MB0ZiaF8PNOznjKjc9Z>JCWPTFS@pAnE-H-zCjEnb(Av z1wT3xwg?>8vWccIo4=4c^zvZES7Dy0cX`pXa_ONNWwE01n-_h!%tR)STWkC+(6HZk zbz#!%k!cHFs930qRQhrw(LhVPnW-qYsrXJqxr&$b%TOLF{bcbY>01vA%M`{7Zg@R@UIcMIpU{)NWUzXZ0?bt!A}k&2yg@zI&9t&`j!03V>u29bXFlBKvX5v*E3q_2g$cB=Wrpy>tw){* zVfpTw1PLANPbjGeP@WEn+FIg=-Ls;#!_GPCk}%>$Zsl_CLwkkHNi{aU^}%F-ATaLT zlOEqb?d4C7Jqy~99ZHj3GkXp*WKxxaq9;%FKi^%8jR|1j@UlX%DX1+hO?)h}s=)qU zXUBuwz})cB2g=}Ot=8-0Td!@S_BQNt^)vJYCKf~;Z&4uS6R{`xEASelGR6sio%481 z7v=VtF37^bHv#8n?h*xQPvQHAZQ(l|L3cJ&ujSTVd)4Z$YAe}xK?7luPIKwSc*cVg z&CjMt)~0SY0(9#dS8h~Yoh0PjC`5>TW3{mk5HZZq;Yu0xC6 zhuC2bM1co8*jiBZjug;m(ggzk?MI) zHREDL(M6ib$1ppNC;gqlWc)Qnrw7-VgH=#B0gl=LmRnjE8qNFHc?=vx-x@dWz9Jx} zWD{nGZr8Ogw{EV;r%`zhn31lmFMcP&Ofr5w$pK}dYF=K7Fi`-tUQ~rQKR}mn~D7vxvY<%ZQPJN540{;o~JqD&1gxzq=W+?$^9=i)6go zxGFA-1QiQCe*D&Hj37R%h_T?KQ>?a9Xzy~3W)TjbtjX)91$CcN9g?~&H%qjGZgyju zs(0MHWrO7eYh7ks(Fjzx(1m!mAtZH*Ig<&FdP=$Ur2iH`+nN9hi-LiFGGl=WqPQYgch>eUYrM(&XpIU*42 zNPmJ6c8n6A_vp?a2Fd(C@9jIw^i-gZ*SR#UE#1I$ms9W(aLdcdL(Ru6$jJ+Qxx~ZC z18&fi(gNl4p^Oq@^3w$&pKoOGi@?9L#oZZZ};;xVUVgZg%b#oR&@w zTpkXd<}TJ;R!&wNz>ha?K+PR3tvSpctvJlx-JBfEVUNH9hDAT8Hq@7X4sG~<7lQv& znHWDGH9z0~SSI#gOTzwU@Ws#jKNx%o{PG_D{LwUj@*&pz!aTnTz6^|9|TKDXc_|0+(dK(pJ|G|7ES*Ki=A$AF#PRX4P|%H=Zo*Ij%gEEHe; z&WajClH25pvGj5UH#{zrM_`Za_so%ftTuacXW&)M_Uo1_L3I^`1J6I~-^^49u$a}S zv0Sx^n4EA;H-NlJQLv^EU9OI8pS18%_=>dNc9TLL6K_x|06NH>To_|> zPpvyE-Sy#TPb(8&+1O8R{fQBXquqW>c*5Q|GRK%J)2NUEbXyyR4Puh7wnxlSxr<8P z{S6AW^!k@-E0o{m;rT>=Ve9PT8Q-u74;OlTUn$lpk$3=?tl# zI?-!Chul2x<$X9F)k^qn=S0~X{qoFOK6WyTIJZ-SBe2qn{qo!hh*BjNsYh>infra) z5~}7z3&T^2yOWLVRulu!3Tby`@B6DPvCPz_mc1(^oyXjmYlwChPfKI?ocqmRJF;PV*#- zCKAd-{1%&?D$AYxP4GwFH97N|sH_5sL-Xe*F7GmPp!Ow`*jeTs0W}n?H)XVFlP6oWFH)lG8yEdcYJNP8 zgdw`(-G_M+I$TJMh~M~nFSPo0bGA-->m}MYj!?%*j|SXW^CXdw4S1GI&A+Ri%M<|B zaO8Zyi^$QI1?Bx7=YcD?^sLK{t2C%#4t;Zf3}yB`ySGD~iE`(bRST;Vn&Efzr7<$0 z2*x|R3asy*-{0~zc{IL>7Jt_wys3Q#@6yW{DXZ#~=;+U7`dPFW{U0m75}zH&yDZ?d z!o6i=qOluE_r@LRX=H(~&`Sqb1NYf-q6-;$>Wx|7u^v3Sgf@k|bHFUpx6ORCR2*6p z&uHZMtbMzBm>`h+bA22n%vwt%#1+H7#!-KyegMa=b!7orXegE#t)0xZ7X{z>W9bHJ zBZogUNoHJM5+y90F}kFk@=^?n$o9Tn+Uqh&Pn`v1$LrzcB8pdAEF%4NXI^Y+%Z5=O zw_T4YV|h6~hNvGN3$C!?iW6_)b$Fr~12Y z?dz-@gB-~&oy{mh6BnN=(?1`}eBCEvsf5vbuZWU?S!g1rK`>2eS}-k_e42lU$ZFDI7mPehtAnjSR}kO7=SU2sOvv)AL!l1fZc45tERTF)%VQv#|1C z5)c#;7Lk^bm6KOcRMOJc(bdy8FtoI?wz0K?+Pk{Bdw6F#l28y{eJ}s|5 zDuGmNR#gWY9iQfVLJOBMbRv5GHw?Srslm?d@10n{f9cH5PwdBe%|b8{;DF*G;6koI z4nH$z`=S45{1c;e-bgoE^*#cYD0bqNq5_g8QCcRUPO-Z(Wx8p5GX{ z8nPI?4-C_VX3&JFbh232BM^7 z$PCBAVwX!-ZjC+(Sh}@@$~4s7fqQW=L*cc5)za<9AklmJkpE zI0+iE5C($Ugm&O47VuCOKTXXsiQqA1MF}JV4T*p-=1lm1VqoiMhq3ite#)F32KmqU zt5H*DqAM-}o5(uf^V2Psw?fmGQ1_M1rrh;^0O99?CqZ+6Oz@oo)t?HU6gIhv2b4fc zQ>%y>4tN4Yu&@xIoGMaaP0@fE4Pjv5Am|2fP?dlwiWg?6WCk7;2*UtK1=4nTxv)w~ z$`Yu<{mp?=sv%3b^vDXJ3dn!PpACcA@)F927m&$ps9297TB=M;Rw`>G@~KA1CB=OO z(*D6I_xqnr&XDqt8>@`>_dJYJ=pJG(HF&-puQ78+#2#bty|Yk??t_>F4Ou%^ zG{vjAnP7cY5CIawnPr)rh5TQu{eSBIcZR{|{36OnMCUbUoR8&8H>ZT&AOnAYjs;_@ z06Rd$zX?TWHf1&<4`KR=d|=8Oo=o|i@(s61;*>WQ&Uj^9G_{)Jx&_=|O#^{?0}?)& zfC|#NUxEgx*CJ^!+6Lv`5B-egL7~q?Jd*%_G@x?u8p?_QVv^!wz(bRfKvXz@kO39r zuZb%RauCLx{n&NupVf!|J%cs4ps25)>qWl#UctfT$#I7l_`7!3-j{9a2R&wC&9$keM)8TYd|NmI~|J40Y25VGak-Ry! zP2&CjN0SqZ4OS|vnN4|>sTp~ckFaf0z~6q+qY@iGEAzRUQ>x0F)V?j`;_L3VU@$lW zNxkf<`MEU*dHjT&0hI@+T|?skI_>|5>i^NucIQwMMfKq?1w33WY?>ExLXklr5Q9K? zGTnrB=F+|S&!_vIy~s9T-zXXBa9Ky50yC9OIvuDFFiQ(G)#196xoYJc;I?K^>3GagXX@hX4F(S9>>?5w5$xTQR-ST z-84=(lX9_Crc)*7S)O!%c{Md)U(8t6Q|Ab%Ct=p`$+QG%8hB)&Gk>W1V~T?n?-l^2 zE96Iup0J^W2;Qe1K!QJ3Hh4HtB`J+lfc!Z8zsdOjVfo(-)})-mK1*Oiw{09l450#B zp$Q2(%VbeG6oDqGx?f7ZU5`tJG9?0B&PS=r4y!&Lk;jI;$QC%s1!!A}zk=1M74FUk z=o-e`u;QE(^sj~frwM1Uq`11n`dFBM5}K3xEk5fF4c1AYSPIr~FEgn%$n2U`XROyv_a$2D=l zWEbQdi4&j!$T>S>$|_j`y{J1eKY`(Y;n05aB&wf1!|ICriJEKZncuxjkzjCz|Ngr& zmzp8avPCvUia>KSbmQdadUMJfC1oj9Z@nwoyC_SbdtV56gVoOib1*DVKBsF5m`giP z)PMN0Uwb+50Pv_&!auEM;9_zh6T#p(P(BSsWeK#?M?Z_${n23gJWz1>bIX7JXdv$^ zfY?xxR0IHm_H&f~pJ=}5&g~=(t9_a;C14!G8yD7svAJ9w&Xj^ZZ@99Ws<;BBzfqNU zLhse51=qPXT(XB3##|!YnRYeX4=BAB&TlFYYsSwfIPg@kxd-_(sfSI@(}z*D3`0a* z%;C39WeGVogo=PSS29Ef8UAOrKB4@xXa7f(&jYLa$$g6~8d7f`@rW*!PYpBYxoHMw z6j2rcvp?pJ-(Sy=f5)NI)}|~}?H%)NDnH)wsU`pcyw6AMi_cc24|SVT^1WdY$cAQk z8!BF8hbB&;GUq(2FqrfOr zy{byEr3{O4m~-=BM2`rzhSb?{N&caKNCdz3{(nFOQaamw%8#_0_OeMN2b##4^Tt0s zt5c38utXL16erNjG%%1hzfmdCs4;oSG&xOJ!pz1o{FM@G`u6yzyFBbS%qF&VQHjw- zGPdrh6553AzjT;?Bu!FS!VwV0oXh>!bMD`5l=$3Aaz5jbm^=nT58{R*TOu`Hs^+>O zRlX6xCs;?~EA97>E4;AOn9-)rj%Ka1)i?r+WdQ5HPulqZQ6xdjJLFs8antM$3!|C% z@#BXG?ULRx5S+I7ptuldYL3F4yGl@3x&hMg|Jew^BE&Nv^4le1){iN9BgMucOC*wq zb5R6$BRL=B4HX+7LHBx}-1)+M3?bXu+Imw}uTO1K{3PXae$%Gz@|dHi*?Y&D)dyWi zq1M(|LDe1bZ{)S+9%<<^XE$C1a3l%fh#ELE%)jow|J_FM!a`oIw^-9}VZ`aXF(b%c zA(ju)k4@rQ!ZQF)@+RB?VPefw59OBu-Pa990Gq^f2Y8wWpE*F5+6}<)gKp%^C(yv0 z=?~Pw+z6ODopvBfh^KC1!lX0$mIc{%t7HYi(_C z|Gb$$eD?POkdIvK8bsfF2^#DxzxmoZJbdw@bpXctCKBJ6ujgmV$&*+y&6`2_0%GgL7Zsz4? z104(q1t@bS5-hGf>t}vPP!K@xV7Nj2DRqU10SP2Q9Gz`8r8KR^6AVopLn^M0*A}^p zMwaY#Ke_Wwysd72cDBpfu~Mo<v_GQEBE*D#-}f`xdR{y|NJF2 zBaF?zWn;vfJ~0M(KmHdIQHjZXUa0{{M4PH?>p?*4Tlx60vcjIXD`1FTSbOL4D!B9} z8C-*6Jaqvqak8Y$KAWyPRSckHx)z|soMhL37fecEt_4e`{LYh!-zH-OTJ$m0hg&RJ zJoGp3y{gltkB^sRh*C3T9j}V_1VEFo0G0}b5&S>GQ=C7BECUA&ISdRUz;gkw4fI97 ztai|_Nh^)#O}-N-*JZdO`q}4>-S~&1I^p+C`r2Q2-foF+HrLmOjnA70No7Y5SC$#Y z%Qn5b*U?;&YKpx|G(BeUvXnbhTjOYQQo|T)?odYYn(iU|&&WV2Hy^2-1;2yN&9xa3ox z74OF;7Fb>e63uyg{9^~($+`wmRWK%lZC*QJ5P`50B?E&tdtocwiYMk08UFPCC{63E zIe1r9F?#?EDUGp_^y>linL<0Rp$zNOK`8LpoywOVx}g#?+|ODEdjhF3z%ha4g|+zL zdH>KlJE);{bNVMz5H;UWTFG=1IrAk?iOJ%&i`nDn$h)~#gcF4Wd&FJ;qR0ZfrO zcT~yhqpqWHCnv&E3`|x+f}5;{%;m&I@95*IiGapW_OCOmf48CIQ<7U3&6IS-{SGwG zSs<^poyms4f}qhUHFA0Wn}5lsXSj05V|-`O$=f zwnPccy}%$1OkVzAx$LKy9UztVbBm3Yos^R#NdmCYJH{=%emYa%<dd8yU60P5cmp zU19_STM&VUw!&#^>1U_}GRz6BB6EP&21V4K=0MOp%dVLat$E<1Zd`_LAB7|0 z8c9`l`fJER2pI_U(6(~{1SO>@OZ0%q1wj43sYMIec*~LVY$bZ$)DW*RP0=K1YTQU3 z#!Geg*em#h=9W_#5?5nd(&JUiL*x_oH>O;DL8$_DtTv(hJWq##18l;0kj_F}SSACK z1iRyU_cM`syFW#PR&^U2Svi#W$2TYk+Y@scVc>T1dnzzui2MwzGgmY~;dybjG-vY0q~B70#a^v(z#2r7&{G@Apq{x;m1!?Yw#U_0WGKu zi%T(H{eg3Td%>!csX5T6Y1-qxyHSenYjg0C@P#bFO_?g0ERcDE3?Dah3~zDb&-(1Y z+{YuaYzVaomCBBQuo^0{MP~FXve7`H%(*;J(5V4^0Ei_3-_Y7xOhcfN0VVI>xO*$) zbktoC%h3NoS<3)ZwzPzLK-t8Jr>josNSQs7?}2Nay~ujRjhi~ft6xEsnt#x#e*gh9$1d*x(a)+ z_tB3In}qW`!9g&A|omM)TCvKM{=8t4*Uys#fB&)GIH+0!K|*la)J9@vVrI>O(zjka(hNpE zV}ODBr`T#b>Oo%X*R(V?_(v(NcY?@tlMct7ZkM8aUvBGcex9RXslTLNeD0PUi7`fY zM$9cDX(BBnL0)3{03c~I3*;k}Ny~Xp(6B zq2d05a6n!U%jdBJGd&`Z7x!JYqpcirS`2vW$b) zjgh$I1n21qE&~P8mH=H5_o+P^hnz9dPq+f?3jE1B1&iMqN&SIUPt41E>u`th5Rkg~ z%`N5${(`nUJBfajYKN^s?#{ija)n`p+GcS2QzZ_#FM~Vxzf3&WAES-5ltnM*h7?Rd zug4sKZb=j5B0x$(E&^pP3WOEXIZbN0 z6CcXwcNOL$ClwB|fKJ8k6d9Oj5CQ24&@vV%CV<{#Bp4eoa8RS4ns)fpFySZHUdF+t ze0^r09>mnQ9do${d38%iaqyK0&%Pg4mgnJG%F4hfsy9#BE^15Q;-gm?U9m*`+9#OO z)SO}204P(zVtfK>2lpHM1ay@&Ah^J^0+c+!r%!_UDfoNPrz5Oqhy5Fb2-;f107KCO z#tE%9@wu8vdx}{6=&fm$I9Ls{70L7f%QA7@uD6dtDN5}r(Bdb`N&Xob{UgfCEzs2Z z<>IN|_kcR@%Hw9mGK^0aj#I#_eX8FG;7{N6Qeg%V<5k&;*9Wr zkDL~0%wZdNe_coc?x<7#E^dk!%-f63cBQoB0v*DGEAH3P4Je^t^hFQrI;-;ajH$Du zIl=X0V20?zL=J{AN$J)eX8v~PtA_+(D((b+h^V2CN9b)}Y;Nv^9PP;z*ff7t?dwlU-%wtZ-)TLXT&jQd>o%+3f8 z^zmihund0fT^WCxhfKc`>y|PsPz6DS46f#Yph`Rim9>aH^Ii$Ks-q!GXajeag8+qt zC-QTaB_KE>usqs$3R!CY+AvUez}_8JYy|YvZ(uM2{W}647-Ye+Pe8)pYiozN=W*Ga zaPA#L?r7vg^H&0^187hR4xfCU8Y@K4(uSb?(808YjLzb~6Ic~!Y8bEOf}T7Wb|V5N zTtI&b#WXZ@;DCt0f`dP>Rsg*s|F{D<6X3^`;KZ3TZ^ezt5;6q+rSkkM4sDnIDo(X) zo&JIj`l`I0P2xW2gR!&n?0t-h^SLgA-ucs2y21sQ!3&6r`G5kPSg9X7!p=Dd?!O_C zCG+!nrLcVqn^LMRwAKuS9t`udvpuji=aB)nAsSC%OPT7&d&Ds-k-RM|6B^fS6R*`2 z!gfVto=p?U-$1M*I}BaANHQNG3QHtbF)BNT%up7I}b}wIEiPD#y=Mmac)#*D3%n2M}IG`fKS&pfO5G{>7U^ z&TRRApUKL+y^>-<+NwC`EiTUSahUHqDEBb9=8YNU(i@uZy$mi(rl3@4qg5_(%ZBgm9xs0Nw$2j#f-d#*H3Gl(HdmiQd7SwHr`Sj*;G`Qs}ltsNd{fK%#V2U z7Yv=lN99Kd`l}=RWdr1yBLfKMH2Ty9_cl}mUQ2KK%xvN9?Q+mPTN#-*HC$s%S&Ml_ zGe8D>O#r`IduZinJ|1Cg^@JHNLy|K#4)_D@m;4Q(Q7B<+u+40XGZ4qWyzB=&eAQAd8%? z_nl;)Fw~g+UCAt>Q~jEe5Zm{7`9le{nVELIu?57;3~&L+{(rej@-I1_(c_k@y#@iM zKnDU$-P6{gH+{>b8k(4`E4;#K4!rMHNWX5v{k__q%i)jfGR`l|viPxV3>?J`^ZT$p zCU{}2b=!*uFez+1zm9~<32&VJguWc18Qv;!D z>558Nsg~=oIsh zm`w6)F2R^AfwDI)3|+;YnSa!W>{`MZm9eQ^op?MBU~A`-9*8DYQMG-ARP!%S-k9#( zJt%R_T&ya(9P+N~&Cbr?wTCRw+B*MrSQrXQtKUC`FcH|nV?Y7GjF+U2U4vNoibott zI0&qE09gHUF_8xrfYZwkW8+iL{>xng|BB;!qwKS3GL^R`T7{_} zRA4Iz##j}WHQ`{Rc;|X@29%S5SK)=F%)~QiaA$k;Tkz9plmOCVJ0-0w7-@0*9!4H=5#O}aC1e_- zjJk+@*H^k3c*5aZv|wn4aTY7kfSo4<+@cWkYv}%e*t_<4DAWEuUN5yOwop>2)xkLm z)kr543K>S4P}s_hMllY%Q%;@epoAvp~r^nYiS9ji-74;YEIv_Mb%PDy7=`89R68 zO3lZ48ICATgwg>n#(uJqlol z7J?PP?1U>P8E$~5++IIeSPl4TP11tbe1K9y0QGB6v&W8LQk@Ycx}y#Sh#yRLjz^6- zIx7USo+=SdiJPvrOG_?Y6qCFU!PWV+)Pe0DLB=uD+m7Dc(H1U>eD^Fy zy$mp_gn-2g^$|Y*I|c_sI2j28;j~r)I_Cy({6ORu=d?D7cb-$ z9Y)CG)9f?Hizsw_^C^K@#a^(-AjE!X?H+00pXM7wYqGeY?`8k;Bf-TnmcG+hmp3tFr9)C0TCrP@SVA zds{$BYNl}&qx*F4YPr76$hXPSISQsSl8L48mAc1pC6@m*Zc6#tX3KYfp zC!yA|qGz6h0E%yFsPZbCyoSOi2>7WB?ONHQPdANu>i{br>x8m+;>2F#*LZ@XMF`*B zsL?lCyeJI8k*1y(2+@T=qX7Ago!|-%*plP+z|PNQ5X=Ukz7xE&34k;ayYqqH^rW#8 zQf?*xQhc2%#xdJ5nr~?ldS#KDxeZ&~yy1t-0Sw0c;nbdwgr=<39Ua?KBe!j5$gxkJ zjBrUt3!Ty%D#@}rqQe283E>81$8ZV{Noz4l^gCn)wj7+$zd65(nkQ19lk-9)q1BST z&HCw#D&0nBI%=6b~QgG)po(R5^W`HLNwk@8Y@K?ROtjqf~s&Xva#4 znq;l6pRA)dWxRQah!$tZaPSh~HE)UpUXBG%<3XGV!SoWSWqeEo4(zc&IU-mE#a!YT z&3k_NO=4bN%kc$s-^re1=7yEXX9daS&j(%Dot~MPcZB*$;Kv~SS(V59v4lC=%weVN zi&~1-7ZVYFe1X)uS|)qjwumzk^C}$U-e&HEItfg7+(}8k%(VnT!cIgfWic`)e))f$ zM=|dbPhNk*DB;-D1h)J51@P+dcG0oO=5NVzzBQ^eA}dKWW?$(LV^F+U%lu^Ml^;k* zNqcCriFDGmkcXt{9v-TlH%*r9I`d5T=)%T^!t>KmSV;mxQbGtRXT|w#kM<%AAX!|E zC2yhJ|{sx(R%_`u3wq}rM6FWkzo<7k3%ruWd?%S)>d1=ggv6z9f^ z1{QXE4j;coWM6rRz=G2$g2yGP7&~DVZ3=%S6XH#P;olP9B*vMEJiMKUp)g7d{bmt> zRq?he+v$zQ=Sp9ILK?wdeS%JedfOjHp@gt-ivMZMHGO)RmRaBMA7{0&moF!bkRZIR9%{ zX~$T4n3&2eZ95o!r_EI-=OaNR<<{Lt(^o2}QTHylXlSoj9V}ZaR}^y>`AECkz@pM3 zYBIgrcb=}$!d6am^R!hpEZwUD-AdALowgvN`#%mjrg<3!fNnUQ{G^kJC)-e#0@W2y zLH)j}5-Fq83q_xH_3A1V6g&!W1q4NlCv~4rv&=XjO+8ALK!HqK}FeYh+7LX2bD z>swx=eD!X2mh{gpDs92CheBSxa_(WpdU9%7F3TQDZ_ZqQ=u+0;YG26{9-X@`bBz_9 z}ZL&HJ*-0?s(l?Mfbz7TNLiF`W_fM)BXMZZQjya^gXv+L==?pKM+;e`HSdElg>&PJxA{{^fGL7 zon*D9oeY2Tj{^A3KPFqr0h-6Y8aww z2;rzw<{Ncx$W_izubmpXbJt7IZ@bS$tsbyZ_1Ey#!wwd*Ej+xZy6r$={(|rK4n+<4 zD&>+M)ghn)Hoz7a2%9mt=}*85S_PCy&zPvQ5;9Hd-Rlut9lTIp2BI=n z1MB>48fh)98+VD!!sse_|3nYz?|l9oz;g5HR@0PPs)PH_UVpap6-HL~)lY`S9-@_G zNRtaA=C{gw->F0}XLsP|16m{Z%ye9K_dOI_XHr^vVM{Ufx%d56UBVklp#xF}iHZ4~ zAr22&$b)j9i_PZI%5<97*YT{zFV@E3DVROZR~ygI?(h@2`tLcyUBhivQUBIiy&L&= zhNbpC)0vIn2N_-FLO&du-CzPY=20p(JXW0QEy3H_bL_rUpE?yc&tVRjmoA51CZ)tB zs_U%g%|UOnZ|O%uQ-VqTDvsHTA!1tWN5TlLwOd^|GIRTZ9G(6DJuu7`J&e3UvMh=w z>a6|=2goOU5&csib2D}m9J~Ml7@fKK-jr#JngOoL8gGlK_?D+>xOwW|cRga0*c(iH zoF{FPjRNbJ&NKhr8vW$SgA`k>ih<&&xL$;^-oN)={~}9Gj+1|8Yh9rZ2Ap7s(NEmJVobo+0Q!>P&1iWyM+x9ufXpdy1{{u5$rfDJ6iu@41vgmFeB@GH5TUGq3MW zb`L7w01$WW2@az|03(y@*DsitIG+sQ^woL_){^%-Kfc+14#3K~8oms;ad|_Q2}sN%PB8UG`u+;>(802E+6o13K7+4P)3$3LQB9XI(2g-| z0J%$ae;6-shF~cMjTi&u)s7$E@$iNG84f(D{G6m0yKT(&7x7RPq-^|Jn`5)&UgMU* z!OZuanUp8JroF3WM?aJ!WTjWjHz)db4(~1m-nGjHV|ghnmz<34-S3WVGkq~9@aZHL zDy>xSL_eKeZ1iZpR*=Idh*PdvGVr{?C9J^;#108*3SB`Hk8vl$<{q~6Goieaz>EYg9ZgIMfNka(cX!kKq2`DShI#jG|Rd`jr z_NIOIKs5sXXS#o26#LIT*fuCS^#i}r?RL(-gvYZltz=ZV9=<2-dNQLp|WUDu5%?UE?%W{!ZVFCaxx|qVDou|9H4LR0&ns+N@9thvN zG#+UKcgzW5{a{5g5JjF;vw1lbMhGoB97Z0bupi&87hv7$v(m^LpyZ*(0&mQQx(hO< z3IZF9Ix;rO-Z!Hd)-G9`xrtQcIEMyUC^3i6B}e`N-QM$xM8Glmh!8&mbxP~ z(i_f}(QB$cl$wkAGHj>0ZOwe=z?9m%yd~V+K=L+o{zS#%TR6OeSkvSYf2~u)VM^ttMgT5TyH|Hc?x%{bkb8B&UNcIGGR=S zRJ;CJA}Q&m56<0wniP1Bbr!6mc+8bgMOwH?Bp46jWe08vv!aZr;rjrv0t%v6hhgOr z4s3+rvvxuyBGB7*d4z=6bE~L@p-my0Ef1I>p_-=*0Jo^%7#eS7@{uq72fNf zv-ApE0hrac8)M-z9&Td`qMqZQWUGx9w+J#!%kHR+y430GN2qTXom~$;1kuC~Brxb1 zH+mU2E&g&9v=u&+;L^fyzvcnZv?wTH551B7YvcDH3CnC{P&8Td&{V-(H{t)~Z{972JY|fezA!T8D}j#b7wg>j_LY>_5#wb? zyFv}>j9NSZver~L8`+S1M#5uR;#1yrAqCh~7D3d+rp~uX8>GT9Mszuw-7hG42wVl5{_lIk?=6wZ>ia zgszZfw(pc9mgKgIgRC{5fC<>r1PZpD4l4~XG==f~0N#Yx2{kzdQP~ckxZh{8J&Z{r zaA{-&NCr~LBt@7xm;zG-a5WQ$2@0htpOm`sd6sdLJ^#~Lq55?`eU0qlc)2dBriple zYwMDd4ZaasAw?RJqt#{>-yIodAe~LonavX!H{Z_5)hcyq(YrE6J4h>c-MU}@xwI=# z-kCj~k7W?bD(1oLTBt>%nul|9Nr`tgQvo3%5-l>RDVsUC)r_Sp;f{#!7;j`@?vNz+w5Wq;yQoHX-};X6psmgXfPF$58QpRDi{E=pF2YEn8yQmAZ-F-!!J z%tPqUVmgiz(_x!tRd*fvRnHl* z@`1889|=c)7EMjFr443#xDPoFS|R{a)H1Q^*?RpzdNQZ-D4?n|k2fne{}7ioD*tTR z)N<=o3emuqa$=gQc9?YUs&=#v#le0_Ra2TG{8#a{QPa=dOi;qlfpykM^wYLX18wth zNzW&Ya8U8%X{_ag&U#7E6up*${yraG2E zRI9>%dR;W*R2fOS0nPHV${M@3P4-$x)kl}QBfBE9jI!1};kB^~&p?65rT5beL%*2?eLWMIizL^|K|Lpbm09a zo$G?;pcaXlx44KDxO3pR>Z)Msd126;H|S#Et(UZJaM5;5cG%Oyn;EY8Dr|2t46r$l zQl9tKR6+ey5X0A*%CVCPShG=k|J@CZHQjRTzY?%FM(vfWtnAR@)`m7phRms+1r3uh zu38k->A&8LQe`Cj2K1_zjr#nRj{ZVUcC!NG8h-H-X9f=+yA#j7mnh6TNHmZBEp(8* zYaUp`WNj+2CM8>8&O+<<=>VKXD3gJKmDEkSFI#;Juu~4_?w4^%oay2Ej0RETAYclu zn)%Q7Q!tew{w&5?i-6~P2*QU`ZrMHqko{K7CkBRaxI|klh8`mX4RJ0sgK)Gth_5&0 z;g2VdN$TD?8D~~hX<5pO>wA{XcH{Z;eG$X(1Nw@` zVJr~|kp3|Pto0sW|I}>~Yei!%09=j$xSBE)WhBdueM69!eP?k+k5&cx4#*eOW>!<@ zmw5gvpn=}sdOl`a>XqPq!pjl_1br&wixlB$tvc41$-yzDXSHKpS0A4VA#3sxWe(vp z6F>;LFPW%be~}pj#&jd9Gib3+Q?gMk%fk5JT*dBpGH2h{3dY zUfXK;_xs-4azet+L0Q!WlUa>qgD}WRg_ymC?vPGC2(gO7glx95#Aj6WbG-lT4)dpp74Y%I!yo<_FmD@2cmmEA%mV45p=CoYPI^0vMYp1X01c)*T2VL zaK^oNqFN^v#~iUQ@=aKs97FGq+=*(LR2+Xx3iT~AXuLMiV!a1{>?Q{MV$#v7GxQsD zMyaRL6}E3tY3AX6^KhpK*iD z!juF#p)pQ#-l8Ug8wqO_=%~rR#+jumHLjqgjtM&~xFPhy$)e-Iaws>&OTb?nlux4> zKq$YO&yfskJV7r6s-lM%BvCkGE5!ZKWWXwuBVxZ?*?3ds{DB2vLhZCx5RcYp{l8fKV&lS?%^fsI2gT@$^`A1 zqmw^<`X2!{b#3>x!=b^(NX;yxIPUh&LZIJjFZ*4*gQLd_3I;fSNIL<#5`hM^{8itBwePu zssLxHhjjGc>1Lwnktlh$8HwF&cS|;_;+@bJcjp+Lsh1chP7sM#f(nJE6BL+ui_@_w z&3JOdhsd?eWK_49VqOrlrzThP%PSX*Lyv>G1=Gi=G~ktgK2k^z`Ab)Dpauc9Vv7RT zf2ToMJrC1GUJgpYpaww@90;5rD}BwnQ)^|QHDYLgi3qYl^QV_B-!&1N*&I!EM4K=o zGQ!4d<`88{v$+BrDAgHSIl1bV%C9%gA%fjMJNJr}7PU>~zPjY{aW%7eVx8_7*Z@Sh z(C@t%rJ!6tjLlQO@!6SSzOyrxu1uOn+o{V$)bMrb-HyfS$>=`p0M=n@+b^g|b!Qf; zk|qI4x*1f`)2^;RbF2aviawT??FtsvPp@Ge9z6%V@-`h_bXyW?f!nec1aAFZUWk?e zk)*CC(kO{KWwk0e`~7 zfxE7|cSOx0Fd;86JbGMuWp!+qk7#iy&mlgI*J|InSv2Z$cS6x~N7e0Y8wx#i7xwuQ@m) zur*ygxU=BkfzJxYtpA%oRsZj6S)ehxcZ^HpW_XAHhZ8pO+}nx5yq#HQ(Z5Molo{V% zTg*}3Rjutub!6IrBRd2-vRGJ3v*)GMgj92ua?ykM@wQ+2)9r?j%J_xy1@~}j9L5Tq z(V#oe@%1`M`z9?o?J`5f!5~^3{4X@8z1uT;;UJ9l#N#(GxhIlj!2uI^jQKhF0MHHLnq5i5Z{$b_b75xvU?H$&f*>Lc^w~TG-D<&-fH}It2{8LYRV-aNvAM-c5kSd&UO(z8e-fSoTO#`#$gWO!TDc|EvY|&F~xa|=`6?C(XV5y z>Ca>AFU8t$Y}w`#-e3n=trfyy2X$}q%4Z;Lo|qV2jkZ;F*7nLlW*drkw0Y;88%fpR znM3dzusZ5UCDacN9K`Hwv0r;zEybRztz9x=4nd4hAIoyk>mLA#Y+w$t5|H{)HB)+K zfN|<6KIP)ugK6eTk0+E%njllQt&G2vy5A@JYid~msihiCEp_TG@x;mOY`2`v?AJlD zeA7a?_>1N2mbTHQ@qgD}|3wVTmJ`73)BHTTqay_DMc#3r6$yUMuC9Gg zQn@$!b$uo)+#`j>fwwHz< zri`+7N1Wr{zE7C99&h&WH|e^!F2Y7bfLCk#RFB8vn(@#Nz_=`X>A$(c4UT#gh_Z$m zd=Zz8zNX)V{D-wHZj%cKW3we^)OX2CemJD>ddR5SWtyac5s=wf z1?Z%k$=i-BtEYI~q^547djW7kIWHRMUNXZ}@_@N+W_3SrZ%^(W=H&z?RF6+mWiPTgs&j~!yhxb* zf!>~j&9a}amqdf;isV!k*h(a-PgW|%NOmiH2DpoL<1LW8@^|;zmOp)`o1!&z8J*t( z@HFP!fET?hWtckcfKSmibzrl<-1N$G2x=ySfM$}qbKhLI?y=8VlD2C9b;VK8f~A;i zI}c2QRCfdlEbuAlKEeR-%cVSEBY6SP#-Cx4|{>6m#riLes&I zIU;|G&U*C4;Kh)9bPU~Pt-q(JgC56M{?u3*fZC`c_8>8FmrC3iFVW#Z0f@LY#Wl(h z;>=0%+gfEaWtob8)!ET_rK0wT0`tcjN3}v5Q+3vxS2GNrPlba7HjInOS?#dzz1v`9 zbLe;$=5)fN(}|PW63vtYz9Ol}$?xfLEW?!8KHd5hseP+JLxq|I*Ta|Xd!+W3hXkFV zL?2Jgb@&X}G5;Gde>D+c{<3+q1zHS$|4DxRkLvn0Uq-Ew>Kfk=tNwj;+{#Lt{L&i0 z7t-fqqQ6QU8E>RQI4`{BxSbqorG+rgArX+wT$e)3Pd5)-)z@bV{9IB_2FS|&){b9h zwz7L7o<|@<1{F>EBVWvz$EU8~_n(L&#uGYSFKFLO+>@lUh`t`u{a7~&gv zK`O+H#X**@#0NTw&;5VcVzxD4Kue=kx^H$JB|?tvd8BoQ!7Bhvp3|{2rj)2(TB|Ky zj(P>oqDGa@3z7xf(bA4Q{n*UUWF?O)Kni0?+$$BX zg1+@LIY6(W0&5+hR}9!P7C<;tF<*hx2}-=zrfTt=cLz#cg{GP_<`5b98d6nzdS&Wh z&x{f*l3P!w7EMtTiblHjtesPvCS0$Cr`^-GZQHhO+qS1|+qP}nwryKaW53^j*txRK zbDFHGyW$P0Jo`l;3$} zD!S>xtGjL&?KysCxi<34E=|VrvWy9{2goz;3r3Bqf>hc;CI^K&i?$7oIGFEI=f%Jc zp|n;s;KZ&tO+CPTg00k<-k_! z%9QPa8j=BPGV4LmQ5UcbhDW~|$fZ_hr3`vk3cqB`5|{!?lXI+_`G2+Xah9X`tPC3z zMWG1TIF&Ms+zbWYJ~yOAj=KG+iQ%wzGCXyXO@IV_mYzSl|Fj{t2>#LcbhS6|{}*01 zof#jU<5F~Yaq6th>Xdwh^zX(XS&HF|*30LJ=CAe12sxBijk3Q)BwJ`8c@ZDvcKUW3 z#G{2&b9!LBP^eMl=+q>siOQQB0BVa*rq|OW9(_*{&$EEBRskfXL~w+Rq5Pd(@cO@r zGK;V$O#kH9Unr3tUSC;4dZz#&ZF zo^IMQ|H5jerJ-dFWK6S5><$1)Rild-%`-YS6VPn<{99L(XW@)n;sT1)a^Ii+JA0(8 zshK9SX;LR!(bc|}NN_m*uXuJgwt4-^)?W#3S}JV*k>M6zou*(|btC$s2>pIjAFwa_ zmiaTgnC;N-B)`dWj$5g?qmqvB_M_3ak?R{bIoY}~@b9$Lkjk-9OXnNIPD-kG&fh$9 z7VcjgA_(hI#QLD79q`H1(QIhVcWzR^&4VQ}#~ly4ub(%Fp{M|vdFo{GaxjGMhe0yZ zi=6B#E3DZN*H=^y0M3dEfc^(hR1oMdRVNWG6u*HbVS$*GKru0-5@<0g%0+xI5iJW4 z7?7xlBB-bcn-Ul(P*I^0D5X>qg+v0D09WySAYIkfEze%BC-;-v>(9f)Hs@Qev;A%M zhi@M_`$XfzQrA_0R6+vz6FXExY{+|2S1yXoO9NG=uVk{WZx5@W3Q|S(RGNB>V&u+u zZva7yVx-_znq*$pw~1KG90kBC9m`h-<0t2ljJ)i4{WkGQv378s*-WQz^)r>1q|4p4 zFSJ3M^}#P&wjUIrZ!E(wxE1p^^@SXn<{bh#`u)(yUshG!(D_Lk;wERVKSr@fO-N+^ovF1MSP`ca;vscvyzZ z27=Tme!aKvoM~Q?;;-SWiQGVk9z=vOKtda3?coT0F^vAF)HZeeQ3Zi_;l4OL4_oP? zGWpQ!3=jF}DfLBe=sX#<1&!$!HY|`nR^y|(I@vd34&lUYNqq9u zomkVh+RfR0G+kkiU3I?+sX&F^mY`>60?Pxv{kK-!>~jH96G zg`|@d{DA+L&&T1G?x7dLskk9cE{IP1{chJ5Lpgsx(QPExztEM!GL6(U7R`*X56?)Z z>$DzRiS2(TdCqqjS+6dDiP^ZKOI&S4d?2Z3KV{>Q6+tm?HpKmQw5^yg zzh-mBMA;?*cB-L@bvz}-^b1+_t493b`IJaZ-qC)N=OO5|(459~1Zyv?3EW7uHVy{@ z=704Shs7}{)-o{vg-ZFH-wz=SrB9er*Z>aY4Mz(2hu8AYcvfuWC@Ex$G|6- zgXu9q@w9e2R~t=reP~P4A zclGa`9*4-tTT}I_Kwo!Jymnk+Z!dH}oh}8NN5TLr0^|l`sJ&%HiG3dSE;IeS>}Xs! zYCcV*@6y@LFqD#kCvuNM9v&JQgK;vYR=Q}Nv$@E^DyxEi!>j$jb6q#sDeL^P{Sbn# zj*bjg1(WeeGm0tuH?fy2xhVJxF;|!QHSEvgWH*b!X01If@&luj^8(qU0_~szMisC* zc;rO$IjI~N?dN;t7%SGg*M;?s<0{l1lhzNnfX13i&9w9mH#v`^8D_#`&hM9EEg-gU z$G@He$xBF1TJfQlMAA=GDANiDPza3JStECMU%?I{Qc zIN-@(S%c>=GK7cvmd$5yhWtoe}EI z(q-y2{xPOUz|1^RjMpb?#_uh{mY?oHo-66_2z9?=^A3zElufg$eYzCT^e%d-zr7H` z%{?d&dImAtz-;Q=o@5S9^(n21alaMK>=C-|h&>R4>(3SC6-0*P7gmZHew|~F_&e7W z^xRb2E)CA7rj5f_cB>hAKH`>>&QV5ggR zn}bwXE$mGeGi0ePw1uL)Q6uuAz4R#>7Y;RPw?Si^f?T_FuTtysyy*F^V0ok`Y1M=J zW*}Ka*yjDX65L}LD`_t$>P%^c#l0CdproBWN& z8YW=`Y@S(YyaU6PMO;Ok15728rmWP}UdQL)B;JMAR}LHwze-i{?^c#zZdKAP?cUak zzR|5RX1P6EL7gtLB@S2~uOE*hBE}j`^B9HX4sN%VQWjjjZh`6{8#H5IuB!en z3|AJTSsAZq=DR-c2<*JzBqIr$aYI?!}+k0K8J7lSoa zr@l71V36`U;t4g)b0%(&dhB2_q$SylhzUg!fz?_I2caXQZ5F`125qsVW)#CWNLG1*%J{rzokgb4|H~nZ6&`8Wk^htV77`F#zFa5k!0&Ld)$VWzW~Lf31z9p)9EDLR)oC zb|9}_L&E`31@o1%)@P2r%ap@a6J1QR1R`=Ai?v%g-~EdnahJP9QiJ0&ER2tr_kJ!$ zjf`CbihOnpsgL%`+v`7>bK{Q$q9+m$YFIPOk%dt8=3_olrJ%haoTd)0UN%p+IJ+k0 z)bh5SkX{hnp~xD@@n{@(re08&X}&PG>p6+rfR19DDQA?1%b%;?w#()A`d^sCu>a{& zj@H=Qn^X6M!&EvwADNvKwR>Om6f?D`Z!1@`xNc`bxBFto^I=#A;7lhM_wkAyYqIOY z$KK|LNS&zYL-f}7d%M$xm$?V00mqM-H-Tk!v~y^tYBdD9gNKQu#+!4IlT2NvvN%i` z(%c}LmwbF|PQ6!*{cIdQOJ_)B;x4|cQ>vVlJ^jU&uZYQp41DL;xn`o~JaYzbTSGTB zb!YWUde|$7IbFixVMrU9(#a$=N*2tqc;m%?@tc#0iI<~pfl$hzi{{D zL2Sm!O1!D@5TDvmYo#Gz1vJI66I~|}!lNUu%$H;6>4_T}3{`vM%&=8Ns?0zaG`Je; zek!-Qc?xx!th0O*ipf+7n>0hyIzFR;r=l1OP(Gqw?u@p;6UVWZ$R3_ksH4A^GuGhs z3E$>RH{L)ZP{j>GjA=&3! z&ew&ihSwr58KZk!YpvT@1@Bf)GcvH((Ro75M)j!O*m&L`q z13N^5b8F-e>2(fIZ}d&zO!M5Firy^El2l~9+Fc`gO9|%`UgEoPdZBLey%Y6NpCO;$ z4ML(RLwo2qnUsp9qYCsj4z;=1mf^!#J+EUgq&fnjXRX_5>PVF6VG!EI?AjMfmuA=@tfB zl2mKnPGoZbVnxP*Cz3kW2aJl=lm*+oOjaU|FjN7hpR<7Ji||w|c=?KG@cF5Zurv9iqj&vGl#wO%(8JPh;C74DAZsgziRlo34c7sjjf&4?+Yuh^3e zTiTpm5v74-pRgtBc44ZvZ&ih(m?@*oR5@PqVXL|mmYhzmQ?rX*AahG*PvuWBailJ3 zrl)_$wQkla8|o07&Gw|Yh#Xa&)G8Db=6s&b?LG4F^m0?@a2y;?B2=+;V|=7_XzWS) zT=A!ho&jq(f#d4bh6{9*Y*ZcaFGKiBOn%ggJG;IODpOKC{3XhJUb$U_KSD3P^z=5s zTO+(6vKP{f%NzBL`GD44?;dVc$nj@s=s=V9d%3*)NqxJ*_fF4elCx`ONWdGcPmFz6^5dm=t1N}N z5p)QJxv`ciJ%Wr2hsiHcDY%4(pmkr-6BvfZY2=eOKG-`{CWHQpNxzJ*dq1zezpO{G zqQOyc+UBOj7q*}FWK$bL4XbK;(a%pi&HfVVPL;SOy{U5T+PW=cJLXWMe@Ad-wErQ` z2d&JeT#)lVcq_Pd`wc~X@dP{+ zxiLp@)bfS3*z(j$`(U*HjWCh6ei8AO+?BdWStCEJd`6e4QCgMhA(e_WHF{@l zu!&t#h=;U9PKtWH8MZ0zMU0PcK#3Vqy)cAQ&~KEBJ6!Fx?P{p8c2Y!6M2oSp5jpZ!tL^_flLL8cc6c`JEBDN^ z&-s$O?6T(5YGt#k>#nz}?zY$J=6kH?F8}!(Tyo|MdKdWdn8o7HDprcmD*jmZG$I61 z`Hf27&>{eddEjoaBZy)fzzsG7 z6lHyAypBha4RS?i&4Cf_=l)*m-t`$sW$MhKPQeLNQ7cE)h#%>Zu)8AXnT%<1%;Na^ zS$U3ITCp6-+J*pJ7oNw54AzmdH(?!J&lqn`7k<0(yT4O>CoW_$IsQuWeI7u;U&wXl zC04XfbymVEAod=RH43#=GL(DGZQz~Fps#lKz^`vP#W&XH|CtmpL^T;?N@vr|lQ`Wi(tW?ILG zv->BCbrK_T5F)<9TU`%H*KJ+7arHKUw*TM$%si0mLF>QY^Y zDlmfPzE0?fz=WZ*0)L>k9Vd!g>gf=Ugs^1rxy4tfb`Arg z^rOLaV|~U_y?uJ_?7vc*e5MDnX5w`rb_kOtajFAd=K9=c!m{I4@sVroDP%JS%&SB& z3@G&Xou89Ft2`e(z{WN`E^<8n0_9h;qCmBG7l8k(`@7NGq&24Q8X|XGFGEj|Em+>b zI84C?lF8Cu_W|hVonUD{|JmUC83F3~M|LOvOk2$+;3*?up=VhAT^lBDLEQ#VgD0Gc zmmgXVlhvmRKvIjN+uyZc1;|-2_6@{857?YM@Hh-XjmYnlRVkUqqRhJv?!5tREq!ho zwTuHCmY0thW)p)3tp}b>_+g+ql!dhCBP(89xKi6=M_<`;#= z3SfjmHCcF2*qyDQL!&IN-MmXNxjGKl=o7Mmdo4?oBae2f}YqIM|#hxyI~XAMw7N!UcoXc2*1LPc;XL_I;& zArL??e=Fj#P~~KG_yuRw+YaNek0afy{PrJt3Apc39G=)ZSfu^j>$$y?iKrZ0p=ibt z931vdWDuNd2y#&LA31VJ~gKNa}jCAejnP$qQ3Au!tE=H#u4^tY)JtUn*I48EjYU)7Gt z^b^RhWBB}%fA%O2QMAGL3{(L93!vXA;>doH+C*!ppTE&7NjK1@LowV;x%?Qit?=ag z0!%H8{={pypU5CZ61@BJL@3_q{bob-bo%4vS9y|@!9H|W@np3c84jh{Uq#0Ah78TU zW!4Hez5Wy_0|oWq=ZG4{@u~kHc1;ZKv5YW&#@@@-Tl4~LC*UUsGMrfq;*kag7i`LE z-q(*F{No`f@I{Qd<|m~RnStnngOg1xE+$bLh(hLLXG z$02Yi!uk{Cixy}`9t>S8DE}^9l_C}fPexV@6XevaUU!g)bmcPs8jP5+^f^l=yT9bQ z{lX=+F!sXdwFtIA#BFtS!ryfXw!qKrSmMt8=V}nO>S4dxT}PyLj3}d$BV`b#>q2i+ zK^o$<-#|=lFyOlNFPq+|$n+%igxo2Q@0WM%Lo4NWtE?^;P3ZfY#2bq8(HZ^qEvCHp zZN~fLT7m;4-%WebI&E+S?sZ6<|Eog%<~oA=v<$D-{*>*J=+!odoFSk?8*I-VnI`>62Ke8mA!-i*c)vKz<@5j-X){mzbcqT@n zIwzovY6s)i3l_XoTj4Oy`{MrQg;HU9-&;>|%P>FgfT{ zJIL}=&?DG+MGYi+ObpfI%Zlf-NMF*^Cn%sy?!&-A7L0E#UiS2dnu)WuS&4j44DxN!kZQav3gNJ!@4FJgBhVniC)w`_|`n`ib5-d1*GnIaOG zA1j8KE5BkyeFi@kwbo@5Hr|=rLkmtKP58Oygx0oa&WLGzfWGA5C5Zr&2%JI6E`Kf% zPS1@FS^E~+Odbr+*`q=xL}v?TYPbke7bGLQ0bq8%sN=S(?C_+`7p%uC)cIV+0Tmeg zMq(G0a_mz23e79#8hO}(qJSxD0(nW1IInw6GL7VD^`1Xe8{H(~`@T#}T+wG2iHduB)L5r$@4F@l=jLKEE8 zKO;KvCrT$Cr5AQ-z&zA+$=SoOD*54(mPc>yxcO%gr{j%p*sA>i6c}xr_pkMGZF!vN zRW#%^vE7j_7G47wD&o}Eutz<8C6XtDITqQ1E*nd3+9vSB>NYfrOd5 zyg!8c{6SJXMfD$E7ExYukLM;DhewC}QQ;tqeJo7~=>yX{_tEl;ZgDt$JI{*{MDDWi z?;~)0fRHmo3c@dQpff%dZ5>SH$5^)cn$?O_$VXwFRX9BJ7{MM7vsVP? ze>E&b33>j54QJ%jJ)hR#F-%X||DpuU-|N*tYqS9@M*ruZ`p0u%b4z{bx=9~CizRv3(=Rp=Qzg}z6Nmn#f;md{ z>f_E30u!aByxii3O{PJJvtX~bE>+)fnU38ZUY5a_<@SLXIdDQFku97^coxktV(p7mmH;WhUpz&9 zlwvF(jvAQr@Jh+k!qC#CSEnMjp)D*bSc7<^WZ;rhu9cH*qcm`rzLqNN)fF8;F*%W# zKTbPkD%Ylt`WBz6Ly;<-LfRkXqtj$2gqLYqU;|+3I{s(0$#le6Fc@fRqb3+Ky*i9E zJ`M^DpvTU>)iEv6O^uFl56>{UBdAwLm6={zo#Mr-k9HwXc_SfgvMwJ2qJFK9rTWxI zM~A6{C*y%s1xAyoDl}UsAmDA{GqnZ-MV+j&R>h|$n`<+3_vUIo&sT?4;u&vT2i^Cl zpVB~FCmTANbL&m)WxB*ch2Gpjg$dui>wEyhF6$tG#*k|lchG?%0Py}^dzG1OA zyN)G+eGKS55~CpANPOyA;9tvJ;A4F0o4ay>f>>G^#iBFG9g_> z!Clfx)mJA)gQP+f3yo2<+`_M8QlRuuVsCz0(amayxB$p?PA#6gA*j4QreFO@fx;Ne zmI{n@dGq*mgCp`CE*B^1BjUOo5lBCKg;wT}bORZekDl&C7tMcbH_t$#N6-QdM2V+a z`+El{Vg>cn(h9WwG<#q?XQ{uA@f!q-JSAh=3!i5UU8_-6scPNzh|JZeH?qFmQGQ~E ztT&vzoAGhztOM) zO@XP*#VxmXy&DrpKjCXHuJq{G$mv}lU=HPNd~`H9*yg|bCiGjr(KH%sOpGm-1GKRa zd`r$jk=0{gR)0os#B_>huHMb^94Z-=Jm_7`cZL-M5bO=glyHYspf>u{yU{u^34Rkc z`S$FI?He zOIA?0ZTf%pt_TduW~sPNg-VJgXFD4tv9f^M$zAcO5xHwwxnIp4+cH6@N-nWc{LoDN*(ivwF8aCgv<|ry z0$D+HJvmfkEra)2g0tl%Cw(TfX@w4lQgThvuxc0}r{m2gDnzGQ^&iWpsvD=_3qfZe zesY>-@(mvG5n3u|SP^(ET8yX;M?&}>-E52?n7?Ob7hEd7ZFEo0N&W<;{0k_N!$d;K zVAgTR?#a;$4MFm6LXj_eDP@!Nen^gHfmc6)!XkHa6ffNepKfM!(=Vd%z;1;32VmU4 zS0`VNsnoDL3eV7O*9OhawCGLqJPb!N<0M-fEo>S~agR^m-f+2HywE!MS5W;|6e_{2 zCqMsRMazRn+@3NrquhTPUlB3dtJ^SqSM}0)Ka=_JeP6GN3k z1{|7``KV9Pdtw1TtTa@n`;M?^wD1~bMC8XB3$bZR^(gLFlx661x9zHkn1y2{qS&IO zH$1~DPw+v;(4v8{NOx!rp+$%g2;>2j>3j;T2zEJY?+nckc9@ItN+$^4G+-D-5oS(S zCMGx?eF_cPRdOG%qqh|%z{+*U#8nwy#-|g z|9D|xNm%};I7{ZL9LPe=KDJF;!}@6OiJQcd6^8Xgo02xw_69b|(l=EP*{$5oexPHS z-HCId;%2ZbI;CG}@1b(5yVWnsOoWkMF|5u&9XNJ#I}jGSH^N?SE&3qd%?-?cpK$kFD9=#9)1%%s(%>|S4eC5NY-St`}t z?xwZ$sztQPeFoI($PGpg?MC;hk)RVuzS&4iKi_2MOT(lSiNj^E0}x1ualEgGJc+O+ zG3lLfk}_?D60ve0`~_)&ka>&_1tKQC!A+%%SjzzybnG2j2P+myFGD!|bG*;X99zk& z7j)e=Jt?k9$?oz>XzNs9WL%o)>a;eC)%Ml>G(Bf1IOx!zld@W(@dqrm0SSZg)Q1Qa zN#sq3(|^nVy$s4Fw2#+n1U@jtHI9XAPG1Rd%_zN=1{&fC$p-E!#YW^!CMV+%zSFGd zAp;%m3Vy*$1*cb;TC}{HHvo$7$4)zQ;QPg$T zBQ~n!)FBhT(MG`ku$A+Eg~s^3+bBMV5_$9S3+cQRw#nmIvQ1@zv5fct59Itqisy0+ z2m*r%uWQy-VSWirNvU&t?v}fm%h^TiNp}A#Sm&&p?cjpf&^64^Hp;@5g6-@dIW@`T zU)xx#DvjGjs{g|Y0KxmZVW*txbSymo13v1x1W1`N?sy#HDAIpFZ> z>uEe`+lWyK(DmAK+6#v}v%PnkTfXDKG^rq0Qn%CFqHn8LRoi}z?{X`(8+%q?lv0#k zEDban6|~}y5Nfp3wDIEfI|fEs2Y-BhwJ&Yw52ub8rCPXlOeTvXX(u{ikhXQhUWBZ| zWocYc9~<)@ogAH_nA<1~>|cOBlOCzy1aM4gB_n)E3rb50!}_XqCU4m5+5nt{;B;{! z#0TFS(HTzSxs8j4t#R1|qn*4kG`H=JM>n^8Ww3P7;SPH7vFUVTe_7u=8|*x58yAey z15m*on;I2pW}ue9X0?M+g@K3Q_{#;W#bqt)83a{U4aboe)a>g_2eYo%5KxB${CE`x zHxpe5^eB*4IS`jl9ZJC*jP_XLPQO>TccH_ThJ6$9Qh8mFChD$d{<)p?DkQ{5X{|r* z^&Uz`=LFfBjwRa|wzI~1I5tK4m=%?TJ_-QITof|AL4-GoJuI)vi5aEVERl`zH!-I# z7GfFTxXTxIH&#NX>;3HXuIJ!zUnGBSX|&F>CT69OVsJm|nc35mn*P?BgsNsB8l!0) zEUVSZS>BQegBN!6KtpkDr(JaM>#IJC7?fnVy}u4+T?2jn2&U87*En-Sf(>oDX9U#O zWOV2kBSf*KoN2v8AZY-`-P+gU_6b?w80%oNc|X7(jLy?}MQeqT*a z%q7pg;lIVT!tWH_$#%KaOfdi40f`!M2keHnE$xiUlN^JaZ93n_q@gzwmaFRS)YQn6 zLm1#mZpDEKcCi@##OxBZS~%w@Ea)&(Dl>C+dTJFFmzGc^$qiF6S7iDhlZrXwLPco4 z-D6|OHo7$E;uX0NuUi^DO5ALa$VFt0$u6>Ac-3tr*gBgEYDSW(O5m?)>c4q>rMWQG&Vjv}a| z-UTvP(hR+S{iw4IBBAi?@#U8K1xdR4+PKT@b_F;5N-oVRI(-|7ki~x%PS~3V(>ucBPYun>P3r)aARp6o|h1jY~4}8pYDx@X)UsQ+_gBSzz z6Y3l+f@ej#%G2Krg&z>FP~8eEy-Z|Y(luruNL^T7rt04&o=BF42+JtpZiYUmH7$4j ze9v(xI`60Qnce$8bY4y}8f=3F>6i`m8zovc?NL2#wtJ9UUuiHjqz&TW$=p3H*lay> zTeM&}NsL_hg+pb@$?uxW%lBw#GuTyRHa3qQfur_w{NsA#_10g;)1!)QeHavIp+k&Qj1x4=c3E9- zUOr~wM$QFHmhsj38!y2acuFe8Vb3%n0d&&xq!DySFugWWb+W#OO+x%=#1MixHSfja z>6HV?JSyZZlgnHA$^wapk^FpdmsvY0UUvog)>Z*?wGxaOzLrjrz*Mk!trM#Sf9>XY zw;FouKx*MghgyU^MHh|Z?+n>qi*U#{)<5*DKT0~d|86_wE%VAOT#|O0*gSV#q{7rF zpf#UWWfz-JHtSZZtES1MK6eySt_ZlYErf(&OEo^QFwu4QNNPZJfT%YXRTp-5_kZ|j zdrpfOn-caNzx8lp+MQlCI38Y~eI$(BcC}5tM?YT5k)LvR>#BRVJGmJsBd!byV=IbP zIevC5B9RfNOhj1L6DHpW{M~SshxDt}MOa4zH{KEvRke-b##FdtkJ*~;+|2zX!qrw@ z1EreiO21t-=RHeD+G@1#g6P11A2qS17ZgOl&=kw+2=d`-Kv;)^@V#PERpn{9g)cuj zVM0guxFyrO>tJRc2!rtO_;h9Ymo_V{=X6!o1lKK@D<&pZ>)f~w@>Dz4ld23GPy>R+ zJ_lXer=gl?+ymA#8Y@iNeP0|XgEcFJ!8H_iq|=n;yTJ96K`P)zfg;j`l~eKq7p6cb zArz++sXsW?=rBCPyVWt={|H<})inP_=s{9-%el`P=WE!*6*fKdjCH_PjP>q2qwJc2 z&0Tk5JTNb28G{f6-(qAihwVDhp>s^Soydw}v z?XyjqMj!UMJ1u-%E19Bg!rj7ru?0Z)p#mj0aa_(pm%afWJ7jtZhDbU*UmgVQjTvWD zPkwn{q+~eisfdxhJmrOMqo`XM9>wg!Yn1KMdUGIhz%v7?{L+RYf`kAT`b)wSW>$lW zNN>;n&mBe&pG=gz1~P{735E|OA}A>5Nz$V#VCl-Gc4or4x&fQcLdzIL($kPmU5%~C* z##k+5J9#h#dXQs6m~|*6$F(KL*Ri^7Op0@dIZJG4u}^4jXvPb|@noTDSrZ)uA7RZ= zjJ&l^Mp)gQrsj78eUg_4?q||9PF72GV=D=_CFA-ro;^~4a6so;BIwjQ&JsKK=;RKg zG;?&cJuz-j)&)-4`l@=u(*it*ROI!Z8@eZE&lEzk{OJyjoVN(4E37s0x*lS=k@&N; zXGCSxUJWpZ`6e_jeV&>(FEhtATz{T9!Grn4U`nUTbR#q_IH_7fk<6?TvM#zEXd`>O0)hkT-(;26EaTlAv5 zw__D{x*sjIEb|OK`4}Byk2z7?cU+TKGgqn_D+e`jtQsdA1$Nikr@E9U1kM&y3npf3 zDQ<{3ltvQ-E^9UDkm)LXqI!B7!$;Q?_C2vK=m+#X;wf7E7=IRWMI42)!gvWE2IL$1 zg=VVWl)Q11B5YkEiDU)#4_rK|pVaxj0apk?c(PMEeRjd@4f4&Na9)4CQ=Z+G%=8qR@zpBKjIPR#al5M=tZPL^YF0w(Y20Kc4pl0OZTMGm?IPNyilnQLVQ zOWE}@Uv^kPc{nDZL#%kyxK|CP^aFn&>)=iZ-DFzm_ z)=(<+2_ht?wXqx9nv~C$W2Ig7NbE67|B`tsVrC_ky6ObW#547-S3^(LMzGE+>SxP8SuB50%(rKHaD1YT*pva>7| zca6W`YL9(M_nO@ss{g~{V%a6p$ZOeZ6wR+xSDggfX+ot1fUb4JINtzH&&o0yzg6l! zQKY~(N)_CN*x2}TJMh){3b<}dczfGa{-!a**bfH&0KrumR^NOO<=AxRa8KB3Zp?1L z-zJBfk?T9*nXjg5ZlJoj*H<5FiG2a#{C6wV%KHKYux4?1uTe`;wA`I_&yf^lJ6i(k z&Qv!|Pchhe^U}(uY9CQeIqLG{9tJr!2cZMJs!D?PAP?2Ydl9!pby8B%mm`b!($x<* z`S+V}wW#l}v#)RmL+={4KDy(l$Idw$#^t(=0W#bj2GyZ&4ym-VWx8{)6;QGO(SA>_ zey`rj(y%2P*;Psa_j>_pnG_Zrly2g`Vve-xatch3oR9oc;g}X17?+lo`P|&4Fm~D?)V4M+a^BK&%-I^@m^!s+InH61nc214NkPIP zA4GUaaJ&t%v3#p|0Plj2Aw>_Z%T+ZrGc$Bge66Y&Xz}(B@fl72yN=GAXP&t@hloYY zt}L9|IH5DQSBDBWys_GqV`dJW6$cJ&QuHt=`V;*^cB>oU+mi;9Z_!pp=0F8&f=TJg zBR>_i-yD#H%uo=x{&H2k`Vbu{M;M0QM_}gKZQY}3LA&ecu7uJwl#N)tSS;uG$SL>t)@aGDnb0rDrjYI)kBsU`{wk6dsQJ9~SNd_U7qzmy zad}j+yx|15?I@7xi@3T^6wAkv>XzkZ()c5$qm}h>BD2e%8PVCS>VA~ zRdunZ$-z=FDE#U-#)(W5c6QrL)pKof8@$iBYiZc;2Lmkew;$Y6Ir4lJGQ-l6H4*|t zIWj|IBT_w6y&t8_C1~~YA7C`MQTmu0W#exrqtE6h21dksCXim1ReEk{AY$&NGVu3h z4GoPxlGnNXYMVTyr!szQY!D!7Kw8en((LFxX@idxjg3CimAM|9*sJ`MI*eMXJok_~ zSu4FkwZ7(hZ#@IEkJNSarT#l4#yQZhfAR0|$n^9hDU%PFNg=s`nZb_|CeUyBZ@9jk z&96oVUrze@2BZeY?*_;_%=GlnU;O(yswZ<7F|ts<;klb>ncriBACYH!h*Wur>t`5! z?;pkAflpP^A^!T`l-QITeS!4#pOua|oIk66UmJYt>FGZY=H?2&?kHlPbzGS1kQ%=M z;}XA^fBR>}`lsJjxrmR{4cNqh$^HP$OY+RrPU~uY(1xY@h30-(JLO^g{Y*;dC}dz{ z@=$$&%)iRGyjK4kqZ8=YB_-j*S>g|w88BMEdO`Gc9u@a~o~G}Afs|jtWs>*$6@&M` zN+(fx&%Z}6DX-L*=)rR$zi;su8^7|=^3{2H`bXdF54{v`mLKdpKf=xQ(9l=tJwL+L z^iuy4F8EnKiRSq+`6ZwH&L8>xe@tfmD4y!bv7h|bAMmw&9uA@)f5(6EzSpLIAAaAG z`$hq*YksRgyc56C_xdx2CIJ1-*WceybGKhto!=LF`dFeL~w*=GJ8z1D2iP>7LIErf}<{@%8ZbW`m&lp%7yn!beD$g^1H*Dbm} zUbcK~rzIo7XTBw>#G_e{Tk#yBdKMDaj1wbJy}Gu4q6~sVvmboq-SC0M^wQw zzShx~kGyBNjLW4e9VU#013lrWGh%A@t)O;9xfoa|eOkuOzhsOV}n zASGFQakLJG&%71~rE^jlg0@bgegq2(M!W+QKikBB*<9-C6z(1kXBMvR^N$`jE#p7d z<3BlAHFzA<%x8>ytP%vxWS~?qf(Ka`X2gT|5T%C4L1-j`c+Y|zDW&XiRkHpC;8XK_ zyu*wG9h8YW(my$@zWu@lW(J8uul|l~5-PVz$5xoFgV{}LJW9u&K}L~wMtQVkvg(}m zVqSz>sSD3VZkHHQnNB~OCZu(BjWTlva7W@0c5hh*=g<*7 z0em}rF!rh~pN#UT-&q@sL>an~5bBe*759Gwb?FgPVQfS1SzuFZ0ziey1Vm=2z4fR% zaHpyKScx0efKpL;3UR#kI(=5+A6E4XT$j2=bOnz6Jhzy?^&JnBcB6k!&PlMhe$UQH zilaUqE>}h5YeK>Im}I& zg}nimrl^%!B!QK1s#~!Xmp53MU$$adfg}ALW1CXYyKXkXbQ{gl7PoGn4b|Q(g(Azo zaQwz`{iiyQd@NtJK%4CmBL#!vO)6&(7_C!eqMkBxuY!~XhVUM-scaT9+|Y%f?fs|G z0)`UYFSgz+M}KCsYOWSJzv4D6^C7%y(x!bAgjL+DRK@esy>S9aXGxY1EtFfV*KO5H zYa9@hAMQhwZXlL5ExeO@56Wq3N6ozqSY>Yxh72vOcxFq|7?=N~xOYSAF>0bcv{si* z9u0k#J;6)1v#e$tz-NfJiFLIZ*t600W8VIdbt+v5I?~U@fdN}=UmyB*@y}R`QzL}L@?5Hg4Bp8QnnhEWdda4exiNz zSW^(`R>={u{3q_7@Dp!|L^@6%Fq}AyqtY?l30BvPRoDUQ;v@toe6FZ@XlQD*^$S-T1Fd$Ybhb+M?p!% z#O!KuGUniRxyISsi!QAqu@jT%A6_CDjB7IVj)X zqaiGqU$5bFoUZ#R&-5uGpM3p6`Z07HkuTR1i6r<-p^G%EKQ*d zAm2Rwmy`SLCBJ) zY$W|(=;Jn_8S=T6>b++2TBzhUWvendf(ta4hs!_se!6gR1YCBW!v7u=ClXI!XImG< zVJ6#RldKo)VdiDRGT}UFt!SrYqa@qESex;2zOYZ*dr00`RN{x)9ZM^c#fp@~G0vTl zDY^A>D}pcXh~MF4&|^%Y`eQib^7Bvjy(z>Pv=SnomFQO~QsQn!AvfkB3B;IGU~pGO zwnCS}99G!0ew9PpXA`Ev&jcXljtPx?1SFWCr=p{KNN`{yIheoMr0$`V0lrE^_#b24 z^UXCXiSHT917mqAp?JV4M1H5@iDLU?6Dtu33*MHN!nN=ru+%&F;FL@Camw_@ckLMn zD(*vt^vVISdbzz*2M6G4gcs4jp+o#y&>!uEqFH-`4~B`==%aug91q>4xoY z4TAT{juTKQpp&4e(zMMRiQ%%TkOW5z#r?}@ zxeUrfv2YN+qP}nwrv})ZQHh9+ug5i z+uJiAyZf;_GZ81UBD1n?Rzzh~W#zs1oZ!jCgY3x2(8OgQG_%K)@|p;-AcL-XHL7b} zy<8qtw)9-Z0YF9Qy+Z8ataiG`4S5VF;4<2@r3t_K&Mmf*iOmE=>Fxv}C5Zx{pnt)+ z2%{srHGOrgWMmP>O*U9h{+la~#s^9fhfo)ay6s)fRX(v7$ zDS!~6L5hXfpj116UQLPUk~^;~}AtC(ocQ|MK-Y8iu~rR`*4pl&s?V6{cCcq#5uM-0Mn80)h9 zSQW~s`l3QqN=9TuZNS5JXZ2fnmosZdOWwN&?w{Vf{T>t!^5>)Pl@0rs!!#oua3!y$ zV*HogjE{nit}mT0hwa92Zi9=d=7zUqS+;dqbW|5^%D8XpfND+c6W6-ne>sJz8&hHY z?&q#HKRgh0zkqsozCrI@T!EfF{do!VYM1`hwP71Rzsn;UAylD5+_rGtSut-{l?t3N zkO?QkLVVB|n#cL!sqMtL7}5&AR}wKzCs@O(kDpXL4|qZkI!4)#E^SAey9!!Os;FAe zj7!Q4U`CKko1vTL+5vBYjg#prnxfilWsw#9v@ZUooluD>sIFCJPzOFV9IFrD@eNS3 zM>yJ-twj2|tEA>mt?ukq?&NVgV)+OOqeYh>%sN1(F=-q=T8ISdXlf5t~sq=Z!d__1w#3(S#~+8+525nms%X)jvoem8X|Y zP)qxhN6xNcx#1+LP(QfB3Lg>Swy}D*)S!*Kkgpsw*2KVu9OG1OVYk{iyd2;Js;seF z9I!0V|2{j^NOA^ZY1zDt=xK1s@RMHyR zAzy&nrTOo>wDKcQ8AYYyFx-%L@VQ-AzllQ{*}A-b>Xs=}d>Al93tUevA1 zVi>EK^}q1jjl*+#=Y}HdS~DWydSretm(OM*I!pE{67mT?J1?DqD}sAk;) zkXKd^9PCrQ>wclG6}7vblq%J5QbBlyF57f%;lQU8XaD6Fr=$S(*o6Ds_ap?c`&RzT z5PfPh5kt_5Aos=%3l;>A6Z}Y%zJVUK?20dOYB_bsnNLq8I|*kQ&EN$~qUo*&-yrfu zgOFQO&jgC34huhM*3ZW#1}%ZX0ZuiTs^%9A33%$nnJ|Makpuup!Z+LpZW|u(-HlqE zif4iqM=$u-EvotQ8As^RV|f>pwvE|@WA)*|@1t9l`JB*qjak8WfK1psfIq($cr1ad zzg2=th{HfFh{HhAX5&Jj-5W0ij*vZY@dVQa5M4W8YO-w510q}c(=y^dT1z*?IdTn$ z6eOy2;q6$M&ihje`b4Hy`)x`sE6BjycBz$Q`Wt&IRH_%-`h~861yxWb8iL^-n=XHR z4$aiy@CpK`2kHu6a(| z^jwRyCm*4`%pOzuDL#k@=A@4h-NQ4?*#xaCww}`gz%`aTKLFYO{`kvnC!rgAoLK4z zF3Q@Y-ci9;SdjFt@7a8eVF`jzJfzQ#21P5FX{KXo;bBO|rYlj7u; zmGo*WFt)VK~waOsq#oD=jWEo$jg78AT%WQub{@8aYXf zOiQ4IgNjr_0DiqCpo{@ygJS#7$QHve# zlw@SwVkQa&&lqZUKMo}`;a?V`4E=Lzw%2w^-dtu#G^`O&Q_m3{GBgrHE$}D8$ibdVb<#4$3Q^Cs!#mjZ8U;}K{0119fV9*80W~U#IoNaQHm;WZr zXgYMd_xiVYxg(rS%?$IlRX@t^C)d|mQrlAJuBR;Xb-x{$r43{bXo_{{m8e%Lfu)#f zNOkr9RA7GQfkkP~bc2gZrCpYy{7 zq1Vt|&u1{15C=+j?gc*jWqw_UAA?Z~>=4wMSj5Z~YlUq02j8CrK`lXM8i!;b3|Sya zX4!VKva^$G%C=>>&cBkDc|l&k&lDUE7V`F7zT*6+3`K%YIR(C$0}3qCWGIvwa*+%du*9n~70_l> z>!ZNlJ=vVI_~|!Mp_bdpRjAyfkuU(7GU}?D!;PqXXZF+gPoFA^%R5o)u_e zrt3Yb&sf4rwj~u=dibn-qq{8(NQ^#kO7~u8tziWwpVz`2Pic9bX9=06_ zliutZO};=CIuSbfCX{ZztU5M*MsQhI6M`tcH%SS)k-Ycc!bw~J7V&981aJ(RC4yt) zqDh&13k%S5ZRu$L(&JM{c;lXUrm?E#*_GH|tj)!<7%ZNU6GX-sP6stJqwdr@Dmxl7 zJd$+~HR3?SLJsv3XfV?j+q=W6`o5~^$(Cw~mIm>M1 zI%xlp@?G_Uunc+G?0BqKIlI$CNG!TE6pwl*)uZt!ub?cMrasOH%e ze+%=5Nd$#f>=H)xf9$=9CITrk_$wO^vSs|eM_XWjP-M8LjLlMHkEB*!8s?Naur|IB z_UM6(Y9ed9B?HM5gkhavQl|`HPm~zz(^eukg_w4M^}3bi%&+QV5cAS);JJTLNHCWr z{@Z4-y!4p)iBM?g22Mvgbv9m+5eDhla(*d0Xo05hY%mP0;FApM`VC=Y8|oX_-9LI( ze{6g@Xaz;f#&jIZ8+B|Z{J^4EadcdQpqcmBWFT&(KaRQ!q`8Q)M4Ll>Q0K5$U5~Sn zF#c|de9b1L;st%T%A?k+B2`juDNN{A>{8@4erRCtmL^g%wfyYhbo*yrrK2#H`AoG9 z*02zO6rUp##eJ4X6jB8p15*R$(KeZSpR(IWLjaz*+rh1DQc)8=lmlGTfq%SAOtv{} z9%RJ`Yjm4;tvl>C;6t8P*Kh@o&jiU$#dyT=R_akYTkGRJs3ZHe>$`oV;%0&SpZO7` zDBH#?)Tt%Ns0}GvheAV85IuaaceLTBK{0e!W(VWNZT{Q-39V>v;BZiGy&=2}{P~$$i zP`?VLH)lvYRT3*!MsGSwD6gwb7riJpcY7vpq~gqsyIJN<6nFU*dG^CPCuZ*(Or6-Z ztxZt%If5d?kEX-qx<53z{M`;IuII}xHWpR?OtNjN1ZX&UyFHBVVgmimD3)W#_fv=!sae?s_v3s7Cq)Vhyu$8#Y3&+<$!<{;wWL4K2e1c z0p$o2Kc-&x@Sp{#S~>Qo=*XPdx+HAnf3=F?KMXoKvxY`)JKe0B!}vadu$p29&$x_* zvm*M+*yRdM7{egEqF$;|L@`CvYR6FQ_8o7{Py+H#db?72+S(GiUyTFu`)&|qVV}YJ zg{CJ@(9?08g7Mdv9GCqI{~5}$PgIK1ds=mMqWI2^erdV46P7`*v!(!gJL&2RpJ}bU zD0{)k(7RpW<}2X6|GeqP(5z1iYH$Rv{*}H9oEZlo?ByS;K$oBkr0M+^nP&4%?oQHS z{624d$ro;o5TW$d098h!ZMjkap4#x8M?`#2km6FZ)H+EBlGNf{ToLnm1#C7BYNA;S z+34B{a76qn^3U#&WE)^GX>}8Nw)H`5M`$sJ2zr|_&PJ_YD%n$xs+n0c zhizr%(-cK|*heTU`H@{!uDYEnCO%>CNqOypmCi%kivjEcplP$=OZ}YaC&nk)iiHC- zUxdF=XS{;zJKxk9#mmYc1wNe!h@^68_)r*b0d->lR0`v~z)=j<^(t-97v}9uJM+{( z6(9ZCGVA#q@x8sK7zGdfT3+rtI_gl-cwT~|KGMN-1PpXS6r253$eADJ4701kuplo} z7hh~4qMV?T#HT(T&+Zr}X|yHkX-Z8Agt7$IraI40&IZVfnZcsWzla36p?mVIi3t zLeI%~WWAo3!j+230LRq3f{0dW>RCa{XT#Zn_-w>=5D#>#H82#!2)B%!(Toy@j`xpCG9p3#d z6TxWWT5l{SqO2@s49GO2%EQ;kY)Cg9`zNCTE=C8jO2G*0QE@xhH5$ zW+CrhRG#IZirO`?&<$(Yd2FFm?zAPJOz*CD0EqCC1~LnR9@HwA@IY#8D~7`>qROV| z9cB$iOzJqt4KRv>wu`;7ktaV*)c!8ZYXbda zG;Pi#A-$0nFr!Fn59H;4G)** zyqoo9_@H=7Nsf(_vy^$>V0{@UZ{bx_gSlH%^ey7?UPLO(1;VyuTqS2}v>}-z9SXR} zh%&2B?GM+fZ#z*^uYfGY+BBw*dKYfu>RjL##roA%|8H8Q+OE8?JRhTIEzo4V3HXBP zFR`qK55G0{m|HsoTG@BTJ<1jpJ~B_MPqKslY%SZxyc7d zy35d{q;L8Xt$G|)z;vnoQioXA4u8*l))Uw4zRPtjFN42)VF3ixLe=&cpt8v4J5Irl zi=9I$q9?o6WxLn(^qcVQ@n!3)T`n6R&j?)4bb|QU)e?WvBY1)lccTG(u4wLVoc^X_haNyFPB^WggvfnXC-;@ zi{X|p{nw}k9y4YUAb8{x8}%MvzX61BF`K9FVL9^}m)Q@}7S^+*p7jQ!J%btuzBdCO zi|#LaZ?Eo{m>7}w7`-&$;b0o;iO9P#%p*P>7)sqhpjUdM(4Y?gSfF9MK7;&Nz(Rs_ zj+iTn4t<1Mp(Z&+P3)sN(!@zmMQoCnlZrPJ`;<+L4?oHDvCDSt9tP)ra-kC zbEEX@C)-g!lTlso$o3{HRDwE0X6a~0|A^?+4C`V5rQ;-!cb;Qf82G2_hkZ@LDv>cMSns%m>bKKEM^5~#7f{xrWF-KqHc zZYn~APGiCg9XHMSn2hU~DTR#l%so`YP$nfQC>>K~5=F{{5=ogcO{th=dd?O2x${4N z@w|L>=f8OVbiAB6H_o-Jy3~B}erQ?WRP_YVi6Yf%(zht<)$NRmBzKNGO8{|s^#?qi z#Q|Ng6As*rSx;=q?&GEmTPGpcF1%E}T;-j{jp%S@ERcz@yu5pWt%esAkvSfFWu0KA zL}1?+>5$LS(L~9%B8l83>EBdO!sB9#oBKj8anbcl@P%_wf0yp+^L;0|7B zvH>mt7BtT7gil|zNPsf)Ll(wLJU*QIY$H+5cP%9ByRV!D3aUys9G-BO8IkZt;)B^M zYiPyrK%v5T8C)Hrqqy7V)`vDGGkvu3q+1wCQIq8PSAjU?TUMlP@4jlwOpVPP!8%9A zV%QEfC+FI$?XGv@|9jt9nnk1%t8KC{L$vUC?Jn|#G4jncXeP2LdZp0};mp_eEa!F2 zCf-eQzl#3-<>0!SU#sb+mTwi6p?X^%ClLwClE}j*EDS;+>9E?gy2yh@_ue1wJX|lcNqOhKK);%+ zj`P`0w29-ElXR4+UJ5&sor-zt7f`n}4b|@trQhU79$pR!t#v_-U2Sd^`>0N45#RB= zH*WPy6UcDiv^$vCm=K?}F*H6nzo>(sKa9nRPUPZEqwq8Bt;kG#b8|G}r1B-YSfgN2 zU%KajWPejrC*e{O*^um(oT@M>H?RW`S9`(VdT zzP`Rz->y?rm4@@|Fnnu*sWN(CDVmcTjUS}%;;L)5f~vJG@9>}HKDt}9FIZGHx(dk& zS|W$-Erq`4WfD3r+oh)=io*miQ8bxR5B1lHko6U*BCVrvAnCkQb8ZRU%nMh(RHvz$g<&`2ZOp%H+B0q-%+<8WCZz7D$-ZzFWB2tk8jcar zzP9wdp&9uaoOd|5%^9py(xgPKxyqU4qXF~V>vhj6=6IW+L%&s9B=h9*cW9+6c?W<- z#$b?arSU?jIw6|+|4N=8Wze(uyl^1Eas?hHG?tSS`yXpor+~*SmYRcpA{Sj8{z@U!ox-H>!ZS5#uS`Ot@p225Xt+I_@X>r zP_>7Cb$00$E?L*dYnP0^fjC>G{931Q;Y|Kv1WLz}t*Hu(Za#fFXv7%tn~ZAjgbK2z zZVv4Fui`^e7}JqaS1`3a7_|s2Atf%lJhz2_Jsj2&>27IJ(NI|af*e(+I;TSkqseQAW^;ut-Tgu9W2|6eK_~aklms=c9z?9Zv*?Vp zUN;HRK^qO!5uDyQzF}bJ2pU^&6^oA+%2yuG`$wZmf2bAs_Sgg%zhUX4w&i=Z+c}Mi zRg3dTqA;s)%N}}>r9~mV*hwV!w@QRvc(l*cg-yOm5`|&4ce$k#&PJl%tl(&V@v;iN z2u5RK;_6LnA&7l^8p?KgW90LfT-T`YNA#xwB5EH};e%-A8|1vn2RshkBo-C4j2q4Q zQ+8W1iC*0Zr^83f5ihf(CX=?gkFUk1g5pc$xHz&hMW0^MS~w#T_5$Arp17Ox!Gf4w z+0{vLR9MOMUfA_xVH-PgG0sw-zQkl}`PTpd>yH3j#>+*ri!t%q5VjbT9B!Snr$ncp z6Yhbt^aY+4_n$Q9`t3cuU^#}O=lLkCt@KDgG>E@>=(Y1Q8%TNvVxYiJV-8y83cZ&t=^xB<~! zYXaB6;k$ef8rqp}@RStI+7!2ymY>;n2LsLkv7tvijwrpTesxu02>5$*Iw49 z)Q)8yv#!`D%e2$0=^oJD#Wmd*pL#7W<6H^d636KeF*Y8*K3equI@ zWNGdm3+0ZnJqYinaP^^$jKp1~F`d0+W}6S1w(QH{#I3S%*}c{mQbZB z9q`_X7@ua8(qxY&IH4vSMC>0ZPPrA2ccR&|d^~Q$9l_%z;#g>-?rY989HLTo#+6GK zTC#QyRk%Cd6I=Gh=r0v)bvhye)8FC9;XCLJB;y}4VOQ+TT8*Mw-cHN)=4^de5U8PW1fn=ukI zHK+uFYI|e}iDZZ}(vTV-55uY!49K3Yq{2s2LOnJ-_&|f;7Dgqy`(jDt4uO=|z3)I_ z^L9iORHDO+AP*RCugm|;Heh) zE4?6zZPc3OWq6$xY#@svD`YcC(aiTD7N{-60p-TW$^W=rfEQH=j>y!sB#ReQpU-}k zvr}n6$Kj=;-#viv7BYHLCTpNbv{OR0yM=$e+tf9QQ75=zv1BXskHs;SegW+=VEe`S%2_{MZeIE z)|Y`70xFUn;d-5+0fEJ7HKoIPXjsUgD{fHt;i$I7Y0f7yz`(6)jah$R`7-lY^lFIr zffOwK-+xwIue0dg8-5%3R%_po00jU}YsZkIUpNcr+u?WG-ln1=`EP%V5Q3MSVsEu+ zUiITzRA=_DT2$nl%}r<7{h25VihwpMz2BZ4ZP9H;MBnvBzu#(2#>7`1_3uWb>y=*f zk*ylLxnCRoFP~YzHgtcEer?PxMYb7Tr#708gc$l~s=C)?NC4dYY_eJbG59>|CLh;Q zBSQ=P>k2Wf-^L5y1c9Js+@awNv_!Q?*CeL8o)1$EwcpRWAI z*pc)Jdk5OdzRVy4za<^mNv&2f-=qK5EhKbd@JaZE((^go5q@xM_=lhAS#_H_)AQT~ zM#4|*4n)8U`vB|<-_-s2z_t6JNoX(sJ$m~y-tHzoaTnhL zW4&gq@jg>S`Q?B2Jbas%6@HUSNfx z?wfQO)6rY=b|<#?#M8IXNvr!IOo9d9@pl>#{*mqp4I140VIbJArO4=W-w{`IlCODw z%~f~b-_75Th`Z-_r+S}{f`qq}zU9PAYzpU;L+l5>>9JR0?DL}U)y#Ys!akujUJp+v z$=zs*=C(UiLD-V*%rLP%Dfn8*`|_5Q2cK|>3iumvn^N2O7B|&qFM@n9kh&Q!9wE65VE{yeHCsq7(B?<0SNP#yrUxOzC-+^+&d8 z5h&%s2oDfhCR&Es&wd#Km-AkWjCU*x>j}c(=)|jUHf^P)Sk^RZQv_4aQd<1|4hsc& zM;&I7FHAF@QX!*)B$NgU?EYykDcs2mcEy8tdkYQ+&mniyfm=nueLS6tIo|om`2NvG zZVvbPs~fi*>`M0NB*H11fpa+cjs6gdX;&PzuSj)mWiy7Cw|k~+ zMN}CnXsj|IWQc`JOlJY`@zM~#9EL-NV6|it^)Z+97p44>RC5uVw_ibIoD#<1&L zB*Z-W-exDk(Wk5y>dDwJL~7OL1yzO`d zTsURCWQQ<={prtD=hw)hV(#24lT=@RkDX9{F*@?opw=r~A2yCDX^tb#1u@gB5S;Z3 z>E2a^nYA*^rhfqMJEPgC{n5K%PTyX83rqe4>zm7)n@OvC=Vwso7{O%a=f~-A zwvW;cQwieN;AoIh38UJJO)b!dsY+UE!J%>FpTmx&&J(X=+T#aGeDZZWva;fC9(L4W zo!@x9zmt2WlZ;=Z4c(Nj)P(EQV$EKKWgF*yC>|!6N@lyi+zC??Fzw4_(=RRQ*p&A8 zPpl;`tO0TId;X5(aSMapalt8?_VQMoBMsu3(#Qn4PO_{`Xn z{??u?emR@>)!(I8>#rinRLL-|C9vws3;WLY8X(2SNae2D9m-2sHB2D(7BSq}D{Pfq zqcY1P9<3wGGZs1=dC#Vt+_QUn8|G3#flWx!%kOO_N@Qp%YmkxEc+~DptW~Po+NNh# zQq&W0A%;g8Erz`(J)O%3PDX7W5|VKZeGHAJUlSw4?_%R@5wfjUP|li8XNY%G z?3FX2QO=L^@eLX#E_>U@H}LqQ*pJYe4${5C9b1ijxNS8cves@6H`6>Vmq~ccdsQw) zb$`c6TV<=sUvwq2ph3Tkg(2@?Dk^5U3?pyp5%wISiE=-@FzSIX@$ds(``FHtf6nZfm=(XjXVWcB;BhaiZ~eeEYu@zuQ$Z=M@Ftw5P4#|wn#WTxxnfFP1c~N^R}Y2ZLwvMlNp)l zJX50MmM@)j-I#=nc}bW2G`D$u*t&yg)#vOvL1Np}?=DTQSjatz;&s0{v1fcQxGcXX z9+?dv8pjofw|el9e3Gl?_9gNj6gcm;rZn@nl>ot-heM*2ua}~@uGnEsN?4YKQdUse ziK_D1R)c37!;wk;PLmWmv$63WeQWNzd)!iGY4QHT_jXJ2-TY?T#vI?^^$wNzyjbOK zN?K(fWuTG&18LE&D_^q2LjK}#R@Kk!@3q%M$4+z7$V17Boo&eum`4gs!xC;^BtxVl z)E$d^gm#G7m*p0}e$upt8-39rgvI)zzk3vjqoZs&<{hNcW_Qz-RQKM5?-CdvkekR=oU2~h z50+fo?hf%f_HKIBE=oUF&N+ga0yo<1fF7o`^$SbD%iDNC^-s@Zq-#D_W3f1U?`)3J zQKgzgZ8*QEYB@UK`)e>rQ-a z=UD0U#5}>p`RKR>m{Vip6E_bHD|2a*xrNuF+@e{2@_lEsA3PBauOQmBEZ}RIO~nIb zuS1;(4YKfIa!Mxu^g1grcC6%x={!}-wsS`iJH#?D3VsYuvHlYL1!n9^<`7*|jUy&s zD(Srbvz~t}T0dtLRi-t+F2#VTH`^OkNPVZRa?=R+xUU)(Z2A6MIOwzq=&svhmh8mc zh`DF1>??s&niGJdf5fr68#` zt&o2ryp-FXb4C8OHlsd zQhSLiowF*ve*iCKze|Az4o-QXjZQiMym6;+YMrR$_9rrk}TpJGAO@= zq6S9HJ=qX90C&s6| z`{XI~*`7%5IGd!tSiOMrLpHJ!=D~^RO-oNal|qP#a8>Q;+)K2tsXH+t8gl7;y$bt1 zo8qbmNprJxlPZo?PPXe2!g&xV($}-_+LGz&U`DeL`m!9_o-O`hm8y*HymH!x`ZWQZ za5>a8)U@kXtI7unQLJ;Q8_ipo{2^bs**=7lFgLu>==sCTvT0gXq7Sy?(M#h zQ)JKOM<#jd)>4u(k}%48nqPPJR$<(q-PAd@^G=Fz_ti7u+R|$cp{5l9`X-C-A7PJk zNV8f45z|ff4C4aBUFqcJ@pa4+tbAo9wJ_VL>ieVLqoe12$`ppnF{R8y_5BVm`ZDKS zS~(6*%BM$Gc=zMzM_%@H_hvlxJaqUD{4?@suJkyLITeQ3L{lsYn5vqtcO6;`-ta6z z*C3Nnkw3}hlFA=q5B~e=9r(Ikt1dRY(VZl^2F>ptx0N8<4WeN>N!MrFy!Nnz!R6NM z%E$wTgvC*vdF>zj-1qCxqix&54snN-p8mL^Qc_)W@b!0 zj%p5%PF|>J9WD7}C6g;2-hSuM?52p6AL>m^baC3>2*QD3)SF&ZB<}1rE%T4f;78U3 z@M*R-Tf2*GHVn!%bJLgvQ+CU2mc&r5cQS?0CUxm_i{TBT(zq3Rw<-N_gx6Gu+wli1 zbx{mR`fYX0?yF(#EcT^M5ze2WQUG6h+Iw5;R85_S12aZ+JhfVIy|X!KDJd^I%y|x! ztsD1mtZ$_<*Za#Jo2rz6C%o;M9P>aEg zajgHmcHPWJH}@?n?%G(9H&U6=)Az^bFChh~D3GdSYTO zLp?d)IZN!{Cl9Am0rB1OF`50X z4?4{na^meT*?Onbx>dZJ7TKAs+m}<=o8~Xo9Y+gJv)_d1*EM$FztrZ@&w9!uW0;_Q#uE^qui$K6p8z;>bPBvexu(cGY{4)ZvKXKtG{PfWIKr&>xE zF#A0pFAz$n1z`{hg24a!b5A*ZlO=|51L4_Sl!ll1Zj;2(Aw+y^4q3|_$MSCUpl#CC zRFo+F%ovWIVr-Rnap-&U0rP_8h7*}fIp*MWlvRPCPcf~3TnQhQx(+lN}S;Ina zLdM9MijU07A?VJh(G_ztDSHK&i1*l7ojHnJdWvXZxw>A$lX z>GkaT4DT@)EV*hMnN`Kouk#c6u-&8AOk3)>OSEVbMd2%uU*fDWu0KOOhL28V#+HZd zu}GP#0)H1O>wh*IS7B{&KwGXm85$Bo(vk4u4^bW6`12%$=I$)IWIP=1Ba&G>6Sg`d zlwf)9Sc>o^|2l<;EG`cT!imL=p-hOeEm?Y&dx#=B3hE8vjkjZ8%b^Y*ism(*VB|IH zn#Ov63{&L?T-x@h3yMio>4~Tdw^d;yLw7jPVg(l5@?9GoP^d+IAIDV5+naEgc3wA% zb^mdxsD8#4(mQ3n6i*-9jD*nTCvedgQ0HB zz_;z}9d9p^!hzQB5gE1FvBe&vwUno?)lxaTXS0`N*-NW>PpJ~9Iu-aMaa&P62jh$# zlBoD(F|HMA<*|9HSUsFu{e6~!=h%no>S}#;5v4xISux$#B}P+Ioo4M9Q^;4jUbm(p zk!JeV{(Xp(s4u!u@0~SNc2?9{bJoE1`AI2-Ygf6rz~tu#!VWfU7_T%}fv|L<&7-=A zdzzaj^l&n4<((2KZR%QBaZT!CI07ea>id@DPI8r$8TT}KkGa3(2Gn5(M^n|OHT2hU zL?UQy{^$S*1XCyTWlo)>w*s#CSZ_ebdznN!ezcH_57ag&;(=Z#^^k ztT(@m_lR+Pe>P2#T7cx*T?6>`13|*~Sq&f+rbmtHe75`oQwS=$C|-KDWwMN}4%w)Ikq8i83Lp!8+>E4Y;AMT@AIbUYMF@jnM_sOU(w{utMhWjnQ8Ht3uoRo zo%ZS*xx{heEqtZ<*k7!N0IOc>N?^15}4!X$MbgIAp504ACv3EtI`wC}!Z|CUM z57ZBlcTIsRiQ(YZByf=SO>g8NJPF;c`^`1=ocCwPk7|~LL$Ag$g~ZF%=cQ`zIj6qs z%?Ke3l*-*Thb$Kzs1%@-`GLK`D#tT()nT1k`%%zCx`{8OkD7JDR+gHlVw%?P+t+E# zv>kYN*@;G-P9<)s^-DVQdD<^WjDA$#S#GW9YO@M{=VxrlCyrp>M9oz*q?yW_f)#UC_Y=~j*sj#5rE zlETBo+BynB0;bt3!A>M+=G6Q}Hf*t&q7U9x_3li|`TTKIY?wP-KQhdM4D$p7C7SAR zv!IWqGIhiUsx#0#y|0$3gT9&5R!-v}(y!3`D+!^||rpz96S&@_6Q!YQraS(@SOI1leHYvwHPbKr*<8 z(;leJj)p_~V#_eAT)py^pmu!1_x#=H*Uy%}N~RCO%8@)SQtA0HZY~J9cBixPDLn-j zTVwR~ttQDbxOUN`pFn%6a~c!wORFzREmF@*yrAt%b?)9nF0~`!Nu2TxNNbu+db^T< zt?_jfF^fvJHy;3>+g!WQw&&Q`L}^SL;QZy(@_OeNwWlWD@5C?r*5NkQj3fp~oXa*tIW%sR!XCcwSLjEcQCOH*y zbtP4)mdU}@!I{>z&J%9N&5f&Wgyoq;;fe(7py`F6+V7riQF1 zO?=r1=5B9m%GNoY6Z#In8W{oiF!#XX+{c36wxyvTvGE+8Ho;FDE2;dKlKnB5fdQB5McT|}X2 zD0ZxnPVV;fcPkkKPOJY$QIVw?ozuYNCQJ}FMPUs%AOQr#C6tKB;=llE5WSA_VRugl zFi7CqX8JO+Ffjm(T|}^mK|(+Z3s5Nj_9th1;_Hp_KdRRgIa(5*d{*f7(myiR!y4?n zGg<@*(~@;^KRrYW?bQAm^(3<5!F8-*%*@OR4H1I%kFEsUZ}*WRjHOVcC)5t4t){xq(PRFWh zS3}uIRXZWgPFj`87I#%vM87$bSw*nP)G#u~*A2U^@o^8#P+X5QC||K7b~=aYnwwjv zs-b(M235e3{UM_3lp;m50WpQCQR4S9hLEDr9~zf%0h&zlQB`OKLv}YAj!@vth(G55 z;N_eatdkc7>YJ>?VSy}RtTT-y*2m$QcL}D*kLumf2v1-+FHf4EP=Z_V7F#n91mh~^ zOsFfg4O`An%G0-wC(2<%@?zeDOD=J z8Bkx6HEz{Bd!@$MvR?0`&_7b9gTckBN#nw$@a0P3V)iGdHQ^NtyYXWMKh}uhQvARv zdipotibW42`t|Ru)vDT*AePH?^j}2?0^XECJF&7n()>{IL8oxY`+!s&dA_t1*u1-2s5%oha@TmkK!=*ElOizAu#)0-*PCXRyfR{UnT?rW4opoA)o;KJ-{DuPk_I{JPzst2$ux#0A2~;0HAw-0k;4G9smS9 z00?*h5byvY-~fZb0RPb(aAnOLAo@qJ_6h(d1pNPj81V78fZ!Z>4v7DQ*Iu@R5BMg3 zop5>ZL14K51mGa>{|%E*n1EAGfWni0zpK$FK(Jo_&+uTuM;w58X8@5oKm=ZJf&Zpr z(C79$NS8lO^nVQUKfC6CX!^hGW=P-#2R!eL5s^3ady8O&CkzO@;en@|Fd}pR{i)M$ zztLQWtzwKu_rtmlETphC_VAHkLa$if0KTOKYoyK!Z&^D0mNaULNCS=Brtve zLw}xE1G}8A^EZbaHoq_M;ezlj@Zp57PQZlse}u0AFXz1RYG=jNTFqv={ucm8K)Ap6 zNPpcKh5tXl9lCeJ)5zI%@Aef8hC;w#$H}<4<<#W=aZd~S|EYB%>dt2FkiACj-ZH-6 zY6sctxBU%=@6aWAK2mmixmRA~4WfLu00RRty0{~3`0034^cVTj6 zUqNzdVP8*hWpZJ3X>V?GUuJJ|UrcXjb6+?vcwbXgNk?B&WnpA#Ze??GUq^LmWMyAc zWp-(EX>V>{NNIC)Z*qAqaAaoeSqW4VXV;#D9YnU^LZJpE2%;o}u*wbr64op%Vxa~I z5OzZV*H5INf)$b7prY)cf+#LvU0B?x3u_e=7eG|BAh=bm^1m}7$k$_Q|Gz!w@39W& z4l|jXcjle@+~+>`4bH>fVX3~Jv8*)i7}#W`^|1tObU>J_w7EH+xh953A1bRERb^N(YN)@VIe-JSLaTrbkEfutp^0x+{wtPKgSR24ld7>>w;~ zV_RC{UD-TV5Eu|^Kr%%HA37R8Kzj%DG!I}D0mnL zeXKEZ&4Gy3Cr(}S;6?{B*t`{Z5C=Syy_zSufvw=5o!}n@o(On%K^&HC^y(E@_|}G| zhI%9t)`X<5XJq1s1ur9t2PP7W6-2<18yy!ToG5aFXW*G!R#a>ZJmJ7KcsmB(o*mB# zWYZmO!RSm@KrC<(#8dE6VzGpo?~gR&{W)+Vcx*1-Ap*?Xo*ft+#Kya@qe6J0SQCON z{H0hPm(7Zlm0rF3nD?!yUTgUcj^kEWiv4uLuiyDWm%NjUt5iHD#<#Rz6Qi_6L)oQ~ zl5=+SS}#sBF}Xgm&NnzD{`&5L`S`K15><1y98UG?3m4hDEPicWa9?jkdEo8I*JjrS zYL;&#w6@ylr=7ZPIt+oHA~7m%Gi3#Pxc+BZ9=I|F}LkvJ~Od!;X{ga>td}& zr=Z?*nsUBYmW|q>oHyVaXQZKfI`)3iQeu=!XIH9xvpM~~bF!AIz1ePu{9h;v z`)50nAlW>HD&s9gVotLrwfTlv^@$%PX-Ak*{EnjWW%s?mO1q|5QMzEXcYjwkl!wcFC@*kGtnQ=b+vV?=eI}v!Dz#waqkxuD z(vtRD-1=FB5h;T4m63kRZE*>exrgGD&u2Y^_Q!;TTi-X%p%W7_j(>mM%3*=ikgk(| zc+F(okblN#W~_~aNV$r#C)YaX(bxXL*;T}KA(b5s+cUNpE3`ht#}$7ctQ5vJU3&5Y zyE%|=S`gFs4&pu0u7?A92?b-6CJ5zl0n>Iob%XdrVv($iX6IfbgoJH(NR%8SA zSEJk7=PN}Fhl01SRalqZpV4GdL-(Vxa9&PTy7f#hTrH?Lk{T zuSVFsAP(O4yI9gEzh+C!gOT1}PDRx2B&hC+*oiit}|N=eHAhhy>( z8YLov78MZ_6BPwlH-PJqsDhZHy1tFL5{)IHu?j=nv~$1YLfhI#WqSKFO@jb#l9cqE zx%1|$;ItNL>ntW28X23In%UWt9UPq~R0h-2%iCwUZ(tBRI3$!47R!r^PguQX?RUv3 zo40IDP0P&6&dJTo-^DK~E-5W5uc)j#a2hmFXIJ-6H*WUy z-tQk6d@%Iz(c|H<@#imIzIy%3n+bScC`be)+&(%l1u!qPsHljj1UxSkIstZ25EWC` z7gw~QNw8KaX%II_Vr+NruWgiCXh46a9Kdato})>+j~j!hhRp2GO)TmEG_&c6eVA7- zG)n{pf+wN?SwXKSw2Km@zu50sMYW#Bu}x*Wl8Vw@(UG|LxpNhK&vm*q(j2u;Zt(WZ zqZcmHl`h73~kYM^>-?VMWy&^=Iz`XwH-syHONp zvc449K{(t}43tfS&)iD(+0w}1jNZY3N=l0|Hn%%dT+o@hX`(_e^rxTn&zVI)ns$xq zTWnF9HuS}QYia%cx;`qL{KeXXZCV}PtW~R&56Y6RC}X(csoimuIGu6s;mS8k6NPIH z{pfzw^}7!){*V3p@;gVLG;IIc&;McSw(|`&xmI#RIGkDL2@_E;syv9Q$4A5NOhzlF zY3~y)%FWCd10N?FrTJ1+<7J$&+HTJIcwuymTK;rTFrNkevzsSoql)OYTu^(rebS6t1?NpZha*!A|O z4e=eNKOVR}wrceW+PGu%6)H6j$5Tavmn{h&LO3vdG6-v;G}TvUE0yZ2jY1*{ayvg6 z>^4b}F&=1|AjvZ`l7$G6L|nCt(nLYXpub{k&tqu*rmt+keNbO)%9K@~UyPJ-))gbG z@e5&k+|>uYa4|BAd67ZsB-Gk~Hn!{@^x17zKm zjnruPa|nd9OkJ4miHe|z2Ph(y9B_gZ7>59R*(&~RRR4wEXBsosRqY4YC4ka{vaAaz ze#xDV(MZP6*Sw(y=eSY=p!99;Tvb4Z?>CN1ac@1_)h+$B)H%<)exQHMt^AbQS$*x& zl0(+R#5V@?WA3n;_yrAmW*! z;y)jdDodB-BNWdcG_;^PzgY(~x##<`JbG8j*}R6P@(14zho!{R5y3X*Q_kp1znh<( zUFUUCe!BbmZ=EhXrQEb(2k8I3%zr8CWv)aUCCWk|+p?^UBYj*+G4>r!jWh>};iX~U z?CGr5E3Kq##K)xyDE&#PJD~KzfLc93=}90RZ}%(C?5O|Yk^gr`z07$r5^+yeKI&9h z({j2bpE7T8#bvE}3ujv9g#Q!8!kmqjrCo7z&*U|<2vR%_>B+`dndE^KZ-Q4_RBgfD z8jk%++|2GO0Oorn8tS0Z?}Haw0$_;;A?yqsAh-(1XJ-$?VFayQNjcpE{a@7~S;+Jd zRoLQ9W9A(2(t%xd65*%|Tmgb?{-`;jR$Uw3Dr2AuE#oUM@1voD0}~};{jP1=w=_wn zAW`MP7Lm8#{TgnTgHi73+}uq4;o$M%*4~g5^*N_%8aXTW?5{n%c0*|O-n4shWql(X zL{3ra0K;?T+ z@ckS;);(T!kO~)ziW`25*EgKLzDOxG_I2RlY#KRYRVqM)puQt$fD>L6>D`fp2Y2}h zBiMyb;c2?|qhYMM2xtc238HGlBakuYkS-tK4J{;*->eA1UsgxdgMg4=R~UjYJb!CC zG!;iCdC8R+Xq39O!>mYW3O(QLtKOT`e^0!DH3_Ykb3YV9FG@OP7ITy1os-+=!xv9H zE~ys5$r0 zg$v`CYA=-T0mqc;C$?=2x9{CeWO>cc+*$7p_fV_&GXOL@sbQ_mwnUZ3Ti!jhusn8( ztUT1}=Js^Lmsw0T&$tQZlx6)VYTajML7AHRbui&%x}pwKH0-{D3mND?@fE{z>$JqZ z0E8yq^5gecSUk<2@00!OfhQwj+v6DJaP=B9N#7X14AvpXO`4GMg7C%EF9hcVbqUB7 z^k1lKW*+LY4sM*5p#mnhC^Pqi;F)63>89pm3zjf9{qBP0qk%O+J_Gb?7opihxh8iw zUM5{fYtM<)BRF!kA)Pbqob4X;YQezr?yAZ|ZU>F#cs^jC@KTwb%#R3IlNesM;Ptr| z$|r;{qQWq${kOs>B2$xAm)_{P_@U> zZ~0JwzUup@@o*Ts2H@zT>gXK|d7%VV|G-T%e|qx3!qFBKp(*6$e?<8R`(pLS*58#n zTqJ$pLt-c?=B7~tq=8gMO9R}@6B3YcHq#3G(?VH5eTAygq;0BU%WvL8-EPOw-4~x% z%#AmJ5~@e-+Ok}BT+Nf?HD~oW?mJl3&1~;XX=;V_P_u1Ymg`nmZ9rC8?;0QJhNbCV z%ig`G=S6m2-#Z67P2pSKlgreY#S8kw^)LuHdFirPJWNmbuxhV#4dcg9_2 z!TRUrYf_lXcXue8azO8N=FCu~x2suv_uk-z3fD(2vH)6gYA;O}qQ4hUB_<+T`N`%? zmmbo=TicEJwk+UJv`wS>LO@po58w}z)TZghS7FVQ64Kfq*StLldQ<>#Db{<6PA_RgO~Wd@;OyCTmkGpLk@1?E(@Wny zzhfzGZ&x(&wp-8 zdT}Y?4Cvsl-0gd%TtilVNQH}=8E?SNyw+C?L!Y!>a7G zCW0bCHEF>JJ0^Gu2kxuN(6G|}u(Sg&+oET5=sHqRP^bKsO<5kxaxJ^6AM7|rtkn2Q z+Lx-c)prV+2&KXRv?1e`LI6HMuft=~D9+YRLcK0rsucbLjQsd3SRl4#W;EkkeiQ)5 zo^W{;@x0<3P}scVibLBUXN*J`Hp}fgZIQzEs!DopcKGCS@4SrA2GZJ~Wd(9E%|jdA zS-y2N|Mew`QC&_2~hM`DH}2}1SzX;v~qD2PTT zAR;??rYHC)HzPyb6)g{T-U)geDu7kyaOT&41L|BE7D0k9RU5^bTKY$n5iG3508F9m zIy#U?pmxHr68Rr?u00&e^zV z63IHNP?}~Oawr-sQdUGIWgJsMJ)2a-@Wm1K*v%V&_P*nUHrT%{X^T z)mbr(bm_Cc4HxR8LB_{f06-P#7SQnz#kRC2u^MwN?&f(ynS@@ktU1baq{T!mNlKt@p~3r zeod`bm-BCxef>*q&j?g2&Z@O2SPL1%A&+7{o5^no{-wGB0s~OO@y$2%*7J}l=b7)^ zWZc$QI2lXJ_)}@FwsNO;uSXannzXIGLHz-|c=MF14D4liUK@b;)S z0D~O{nJ|bfAG8JtLw03l`cUX$W$lr#aUS<>hMHWJO%GcwJ7!Q!BpJ!e8?>wm|LtIJ zS)q%?H`$wZ8Wh?!8)Ppftypl&R3ZC!OwOBPRYJ)u+v|O&-mBxS(@o_7@BJI?ba&`l z?IxgI7_}|~bW&ei8<5v)3}N%Cva&e%p4(!*J9|4#`V}jR9-jBe2&6N9d2b%sB-374MugeR37MEF^yMRPC@^~GmddW!fXOkpp(F=lozk7uUwPKY zZd_==kl{5`kWA^kcz~#{9sKg z+ZLH|DNVcGyGi$lw3`^P^>m-|u3fwmQ6xA!W>FS)4}&Cca=wQ1mUtAJOxnu7Fy^uY>u zrnUs0Eyxk;qsZyiC*)oj|3dZIO9XTRZ1uOR$$Gk^AO84uUMuHsuD(!=?dIq+*P zuS_UxZz7}m2Z(%B;h^b(zlR9KC>#C&Fgh#~zI(qyufNR;M$8Q|K z?NL?^z~2j*)%s4|kHtQx50;-;57`9#CIAX`N&$?`Vn#-zf;g9AF2^sHe@y7od;2{K zy6|oxmHr+9^j(9SytlMG$g2&j-j%76E!Fu8Yxm{fu6*#n!FIt8?0Iy7TlD^*ef#2e zuih&L#cv;U|BfkkdqF5sxfi~pMrNJTvxIssmts>2KDIfDWRxCx6d+i<&DPGwd*;Xa z?|#JJh;vWCg&JV=iCWu@DIHy!&z@|qkXA}K*p>eCXvsXe2H%|5=h7~zGu#_#mCz0W zPH~OVO%<3_*z`PtN;^zp!%H{<3*`*g8wwN-wk&W^^0FOr#RLT+zT>TToovj#aK2G<_Zg-uR*})KYlQ094hZc|frT zxMEHDgupXN$imeDa7C!_i&DI&2zqYkiZ|T8)(iDDC$4PVOJcBVvc02&n_ev_@1^(d zq3xgNxZUdQgRZgy3KX^d`bDpM4El^nCbJ7CY#to=@ZG!4u(;*X6@7O{>xs*Orr9~L zS(`YB4FQB30cm15oL-s~2`mo^o?xB-z=MhaBmpSt1jSCTPR+rme@ppQL_~fyH35g~ z9z#{5^#WCUTws zO$8&;#bLB>Pph1kYIt_LKcu6}g-G~9KTqLs=$8H;^XNa(U+&zn`NP}ShGEHZj~SI= z`-0-)IMx(EJ~;@naBc7lh6b%0koiR_>6vyAS^)ekHcMBOK>ryB@170$VYWk&lXlwF z9nJ{snZM3Nf#y+j*3|oJpmOD|6^BTL#zUP0Z98F=F~+zT$`^%~zl1eHKCwWb)PP#8 z6ydzSpew=aj517MZGbYpmIQ*7z9d)#R!?tkRKa#*@rydk^o^u}y6Nc1-)fREk&S}u zSVeRO>i`cqZSLe#4$yHJ2e>SGaz%q4VPw3{%YhDqUjb}$N| zs zE9b6?vi=Q=V}mz3^(fFni;F5#WSE;%I^IZhRS(a@7kMdNThTPWG8j%9xt(Z_xmsN^ z?p0bAcTH@*FG5;zJ3ZhS(7BOoL}D|bBI0@xQUXhq$cJ3?Z(*!ShLU9;e>f+%Y*$JA zXgTC1PNmzru-;3HMu%MrHz7=UJg@jHj!-NQyXcX^(O@(OBmo#ecDh64{xyS zL!O%Z1T}7c?sE`C0rRnZ-ePo0TE-*m=R{?OhjlAN0;K1g#Jz|%^>3B!{N=QEm>StY zHFOeKRX?zzd^t{61?|R9fe0zF=n^D zmKT>@jJpBAbNcbFr(K~$!aF`osoZE?j+YFIPkEbJW$2%2x0wOL+;%NMQ-B-^G#Z11 zAwl9K@oCCYj}AhnG}J?HKxES|{-Z4Wp=jWFaTq{Yo8WC6E3t2qt5@hcnwg@{@KpS^ z+_OBMQMk&#<1+Nt#1_dZ1tm+tq(vVr5I=>FMEw`q~ZwpKWGHU4tIXgTDAM{y1v9Gj;W)fm+N6R`}9VeFiY9PCVN-|Ago}6ux zWC7hbls?D|=pI2ot}Z-@Mk4@p2r?d~4)f(u7v@ClMmik;%DAcHjrdVJ+b@{+k9i|ImwN|MDiS<71a$#v$wM_1>i}wvM=4|SB4HqqeQ zqLG#eEjbwhB>~puVTse61bl-$lu1OZKpZ)o>27|S)jxaE;(FtHDeU58j4l8eD~CCw zz4;UmOUw94fOUT^6`slA5sm;y!ip2{?1B+n!8Dq% zl)%U29|o6z$mW^?WrPiA`;8W`c>ffuW?MAxURQOB1gzNq+IC=n_r~(z#cI;$Yn@BZ zIsX#6@6;|dQ02vpTkf04cj%%Uy~R}$0P=CB`8le)*N0P1l9vT_I9cRTwXldXpx*Fc zm&!q8=F>KX)k^7f&8IbrfomofL?MOj$r5{;$*tZO@b##-(luRar=b9olxJ;;8Z$mdQU5M{%6L?Ual9B6);0vE)Fk;}2Ok0*xu} zxVKj&j?O21@R#N4mENX?x508aB{5Yvo&lj&50)adcqb5O_iGfrzl*Jr zC6P30GW=hj9bd`b)AiDtp_rf-@g?m>$g?&zXM#z>xL0LmLa)+%Urgwlazjn!mcH8* zKxV*Q`4NCZ(@~|tN(Ij508d7jM`#L#0Efg06C!{Vx&S`IbhDOb;Tvg=O~7tAhokOl z)C_X5jH40q4Q6hbe2NE4Lo5aO{m(GhAIhFxJzy1C|9w~bH!U#|(F=>M+?0J`(**q0 z3Reh;3-f=18}j_KM8uTe&VHI=Z;$Mln6(BPsd@3HWUcv2vjfksTnVVGf4WvdqPxGK zdkb-Mb?t3^r6YrHeJ@bR%B9T$68p%<6QVErEL)R=oioe@woR*VFIDSLqk(RrQF`*0 zo26e<0EH#Dwv9dOy+ru+){89~icPykKxP0z=6%OJy-nr`UgC8DolvrUZ>&a9v;ZcN zP%gnsLiz$m43TD?fV5`9S{^|=P)pfvzHHeMMK9+{A3$Z%c-#;n-*Dy|`Y9d|WZVdG z^SNfktckgEq~+c}Kk2Jp_v@9`Gle$SLN3GB4KY4yG60I$b-}h3vdEyF*CbyF=ID+K zx4TV-P(gjHDKr+~%KZA$Q;)rPXq&6iz3RJfyLSVjl#U!8x0^g4^H1Y%==(`v%{&Cw zOxP$?oJQA^o1>6PIZEMz?zmc)B0bOBIRop`}YE>p>NU?y1=@MX^i`!TeE3-&_F z`nZ(l5z}|dlBuJSu5IG-3Ju&{jn`I6njaL;CM%!FpIM(i#X~Y;g&$DN6z74|=D;=M z6HNNiEQOl)Lqtye4%6q*q35>OwlR3N%Jol0-kIHsq+WF?UTAR zbVif`$|ChN0N`q{jw@_Sf`7+222>gGsjS0L>e7M2v?B|o&sUu@yt_U_=X}Ub-jp(M zSLIdB(}*nb&*al$YF4ndv#_duh3uOrd2tFKZbiK`v-`*AL;50TXZBqOX7y6%ovX4I zfXAYhvj!PToiRCsMHMP|s?4FFctQc4Q{E!bNnRDgr@eqf#SifdtW@N+eDfh=!7>*X zPCmd3PVfQ@0^kcsmv>MR44bz&W2fv|05CU-xQ_H=|E(i*{Cy>OO7Eb!XU<$U{}d0$ z4N?vm$%k7zZP_}3Yeu!p#*G(-F$-;O1YbVFz;V*nd5fk(;bgaykj^HHUHmOngqd;z zuaNJMOpY@ONBaXM8xi=RRuC&48j{xvkTzhbMn1o_w`!9!ps!o13Cy=; zjLk*FuNPb%$aiC?uD(2R|L0QUQ&1;KxU@S#M@57ZIUDh*c$!&3iJfVHsuGgEztrJ= z*X;f&aMF3FQPm26ObX{3x{RUJefa9C%k-Vv6qep0fHqrOa>#-*+vVy4@&SYd83>hH zA&;Rsp2j>UKX8>_%4eY(1ro(ZSUy1$6YxT=c>9xeNfmK6Z7fD1P3c-`37{>_<*Jse zf1Dqn`taMOr^(8(cQ`W}o=@|bb8un9njwc# z3T2~LCn<*%ik3wZ5{1S&##vHJnzW)6W5{Y^J5f`pjO4KTeV^w$-jBNj`mKO=o}r(LOF=JD=BtTy|{W@*!o;`Q+XDq3F2^k!$awL3c;FR&Xv z2C-TyzmfcKsmxJ|%<#;8*X$aZ5s>>X#ex;37q-0MQ2>OOJOVG7Uk|Ib0(`OJM82I* z>!ikzIWuDOM=mL7=%+_K1?}H9!F2{giwgqgb2vRF@Yhw)dyWVbFE|m$;06NgqIYCa zsm;nK7e}U_1Vzw2?0I$!!eA^jh^>0AUlNL~hXDv_C1(z@0BM1JL%o#E>>Y1LSm3&j zWK`X6o;nM>nh-X?3MZ6O5n!RL1cRo)(Vs|Jq6t)JrOA5SX~^HA_Cu{TBDFSESkK?Fs2bXp3~wM}ZjI^m&*mVWSMTu!mC5G3@>dp;iZLy_sVFYe|+V zT%T`Ll`)I{nGdZxZem)eIe^xX-91jz1&Rb#7s zLIeo|6c9n7P5h*S(BJy~6>ULSx4GP0M!g-qSSTUkmu-R?`NW${>3hIZ=ZhCqSda4-bG#wC_=*Zzs3X;WC!Y=jV1#&S8@!S<_RJcbY5-Ws4OuiMDlWB*W@ z|8#;S-jgz5R64Al@5LZZ-lF|Yk4}_N>e*&@x+4IFi|9le+6~xB7U6?ap+8+RzXjqw zW*z>*GV|1Lg(cG8PBGWx?h(}*gsg&o>+@R2$Tb{InnMy#o;q0B;AVGz&G99bT6Yy? z!@CC;m3JW@)sDi{;x~p;g2^8?HG;Ds04VSxN`ZCMQuKEg0-^?gR9G3^SWQ_drs%Eg zJNJ{28u^08J#V8CA=YT?6^Ec}9zd6@&EgPBAc8Ix*{}|MEUX2GJ!=)lTURqMvr9t3 zbon`$$w9~1`mntOpB+vo6{y!FtW+VoraAcnwMBAMkC$Vr52w)Xcs*@wk6WST#JnMM zUCva|`UTQBcCC~toY0tjGRNAyL6T)X2jZ$7v)pl_tV8&~T?v?bB{~Lg=MRywkt5%< zM;gXueBM&8Q!CRYwV9*pK08f0xuw=)_)2Hp)7rRl>*}$=iZr{H&JCw-MerZyUFPlB z@N_Vv;<3x?Lt{^tkAlAI@^`ZU1&Jh6(J~1t=kKrt_k6^`Ru~PH1JU3I0sc{0H;Aia zij27zGhHh#84tJ815XAQ#fDA!O#V(+UbT*~toY9<0N zISgJpPE5WAGyPKeZT?sGt%?YqPLOs%`ZCYkIWyZ_fVR8~ygly@Z}D?XUcTgu9>bfS zLx3H;3KyNG{2rFf%zG#j@KN@_E5|H5Z!;yzf=yF** z-mk1lvPaBK*&S{U+4sg0AO_X$=wYRe)ogV&lWz5ANM4FRN z?u?5-z*`W5u{8X|s}1=JhTlqpjKqg0+kBggZ)hYbhe>-XM}Rwe+k*_J)QRA0i9_oa ziYUHbEXlql#8)D(5XF}^f-gm7z+d5{ynZG^TPR(OuaF=H(!;N(mCH;|ixZYGwWI z_Js*kM&u{CZX3L_4^%^T4Nt~F$Yp!ywU!P?RBhVED28$iJd71S+-8??{Q4Vz7U#82 z!d>^?wYzU4nAwS-3+C5R_7yS&4(1o&_aIypLfH#*_JySp6<{5l`hzPtiVT&?is;^5 zUktSdR?Eq|WKv)5wul>Wi4Y5FL_U;*f@_W-$i;>7$rQ_PaWNBK0ub8jkE%0BUem4H z?;GAuvI|l4tt4uBI&sNx&>7db7H=$PA}2ABcfkgvfhhFu+_ps_3nLawiw(15DVriW zeHQgMk)N313x z69#I~xZ8-z)kKIZNlqR3pl;G@_vsJk=qg~&s_ zNTwoWKR`Z zk(X|kpmdJEBp6;TBZl6c)*=t?J}xdap~Sm3Zcs~&xh0Q2L{PRzzxVR+*(w_o#sygY zR4WUNa+bu+CV6B9J*aGOxtAMyeV>0n=hfazo$e!-{SUk5ps*4EMUbCD*eMiCr3(C1 zG*I;i!rw}A{++Io%F5>pj~~3!ThGH3embe(xrbhq zYj@hTqIu2HKW4{Wb9nnl;cfnA&0`G1AdhL~3C^tS}tv zJv6pbp=Z@Wgs2d%xniY@CfI?X0V}6cf}K<@>ZhW+9JmauE&Kzm&wh3NO4qJ)#~I2? zdxw&;cKel4f5}_a0$`NRp?NQhkFG_q8b}kUDrjE8x(2q&Rx<^31v6WDVLEr|pOgdR}j|r>(;p{06CybqZ z3*H3{IDESS`CC2;og9|W@fsPA;sj?Ety!;DUaiQ}7!IHBH<$DBLAr9#PQQ<`Q z(lXUF!Po|2p;#`+F{cZSb<}_d%6v79(ZFfXFtL;imv(i4F9Gv4Yw;D%t|~7t$*(i& zr`p?_`)f~~ed4DU_I2q4uQm7P6KrKKym?lxU-<6eDnCcbr5Qh2%I^%3RUz2T=+2HS zH5Lg8{cFy6@vhFlNgq-8e0?s7@RM2~@w}nle9atbvT_60{w1$W`c) z7fiA=K~+U2#z4#4s?<(OQkxrbP9U{uSRbW6=NQ*<9SD)B+ki^Fl6$nkhnW z%3EvMIhb6Ygt`<>m!CuL8qm*wK78nO@$0zA!~I7r$SbX4hMkP;Pxr0h8(&ib6F*?pmYYhY}Nb#-qy`#mm1EzH1dxHNP6K5B!N#FZ55G1I?PP?i~PFxv1AZ}xah zbyUiV`b)Yitbiv|1ulUQJZSz88d8X+vd)2PM$-j?U1!4V8uSgW+}@O|x&ZAdwkjhH zzY%qN^euJQSZ#|!SNg=OpY|xQhzTbh z^#ZF#1aQyAWL?!i{h(bVdtZGtD0)i909*;lL7HJeRmtc979%wrGJj;Q=T5GyAi7~J zWnlTpt|epn+b0=`$y0r2f~UH3+nCPZ7!LIfDXvIxThKD1v1MlWdmJb>1*_kz2U3Rb zh4cN-rCHWH5KRLX$ykDR5MKNNd~zE2^7w0AXqZ?GYy-i5kzG{#AV=xDuFUjX5&i&5 zO2z^+9VawA1;Ra5IL|>O6_Fjv-=gLx9ppp?*G|p*e_8Uhw}?2DG>j*&Ajgb>_xd?= zH8sBq(NbY9VQc77QeL)&KI|te)dFI9xr%1= zEB!A~WRcph{W=7ZrI*lUbZ^k6YC*x(Q3M&KWzQCTEhGl$TcRE%-=~tZ&M5^w89$T` z_)Gc^<$liWm5IoI@hA6!oggJ+p0ztWP#~mGI|I(1A#b?|H?7&&4$p_B*wsw;;w`rx zI9vCx;1S&Yww-+BRswMsmASI<2sQ*V7Gk5ixWQU*F#m&_WspNYcBJ{?nsP-<@z zL6`dLZxd^NMxH7XLDwrEZL7nX?{O#lzl`7Bs5Dr_$@PZ&ef*A|>)(o89*W$~BoAG9jjNI6KwFSJkd4+!@vWqTRp$em_w3fY`#9 z;$6r>(L6bavW3T&# zm5DLI(O_*=oycw{N(b;m6f9xmxORfN|2W>f3GLnzb4z)Vs^oQ>8{&ejZg*5MPnofl z+1ok4*b_z@Uc4lgh06U3#a9H5bZYjNQxBrL56_v#g(#zo@>o}L{eO8(cmR(r^4;!@ z@)iNU8)2>F63zS^KFkVkIBEP2W_FJ%^v*<<6>SqTS>oUx`z7Cx)F+LtzvbqeQdX&9 z^?*C_9#>76NApzId%i#&)j1oW8~*VRS9#>@N~3 zeAI07#pOGDYy}{(|W!m^*`*Lc|276|HqG9w7UyYH{`ZlOf^)>*Bz#9 z(uT&;L`9SemFkiuj8c^KmNj(|iLoS=Hd_+1+^ekRmOX12V;REC@0>G>QC;KvecZm^ zdw=u!-~Cvwo}0Mvy=T@b+sAV!`i%aw9>f!T4rhgWp$J%^joL@)Fg2+q3oF{WK_ z=(5GpKpHvYz2Yiu$$mxW0-@a&xCiu%^Y$tme|eUYcb&Kil1cFX?gG*TwC$t1meq#W zh7!Kr@NND)B)*+OLYn9Of9$Ttzn+`hmL7jr$~Cnaui$EGZpo>pl1(+sdya&acUoHI z9{IZGRUzzOkug1F@1{x%>z`J`I_p~zq2JlL=hxG(=8NAQeW%TY7QS1#y{x*%SBj-G zSMySLSZSW;P$3C(cQ%V^A`7T;|1+x_8wEpGYVlm=)=1ukTu3n$=MI-4!@u(WoS99Y z5XWvmU%gzlMHSZ8iu;9*_?iKU!^YpY>rJx|VJQ!j=C{g2)lU_P{GEGtUDHJ@ZJWs1 zf$))mk!N0uJQlOB!JbAdIRQM4i~cxiNr)f~r^>23k8iMsH)y6(gHN@scHX^vaNAe7 z0aRC7-Xo?erph zT7A5A7P=4_4r!v?BTWCNJ{LT8G6_4*C0MV25ux{swlc;lHei$qnQe(|)ulXN5-6Ff zU%+5Ow{OwZN~J5+%HcF7oO-C%bC{mt&r+j4M(+i;a%DM z8!|xwZak&KxWP>5^jCNCXKIfX&yZXOHo!P2@%`(|+2ST1`f%}#>mmCrs*D+DYC$}v z*3`SFipSK<2oj`32YL8kW4C($J<*MAwB{qaIb+{l+3X&fd85Jd%r--f(^GeQ>clxBTf!EGgpQ8>9iO3mg7IOFY zgB~mmlP%J=S^zUeh4Eh3Ziw|9V&%p`6?NI)wHBu=nvvI+ojSTNZ&!1=O=M&|K%%P9 z0&r4A0`}RfO}pT?oE2RO2AiO?{4^lK%q@>pp%*>bLuuu~md}DfG=xDr+~!DKtYd~i ze?;4VU_B`zwz-Iw0Z3ERrO_M0$|DGDwa4aV_O+GjC9+63Fk*9TEU_8OgfPq{2nuJ} zUN&&_)~TM*+Wp-%H5$|d6tf_xW1towX(zjfOoQPOlQwt&=i&6j84n8kiIm!}r4x+zWmUUWMNaeJT z=O8X{r!4tZ&ZcMKUtI$pK|5|tXkY5;)5<03Kea2F0p)T(%zcb;3uXnSY}UwsGB}xn zNI-{}cU}>cg>Th35eRS`IE244`KExhsHPUVvJ~V#sM?sxpo>FTKY3M7CE^ce7yqgZ zgi)iYKf;ucT2o}vU$`L9`&N?3z4xU^mG^S2xgIQ)tI1Pcm21qgY%2ZW+exIOI!!~Q;18i!2Op1ogIwHid=MVF&inG0*1GO$ojdUz(#aA9Wnm27(oqh3V=jUpK+8R3_ z6WFNYX2?p?c~%ecODp=fsyng+v*l8Xw+qz0J_|htXE=^4z@N%b4$E;C`_>dzJ4gj^ zQN2ml7Um9e)>_1ev{bo*30u0@uP%|i^s(yjoWa}b98lLZ6{$2^GRrs6r}bTv+95i! zD621>6Sr)`n{@&iNtqDQVB}7Y|Fyp5%>P7%jW)Z*<&CUl|GSdyIXss8X71O6M8-k>)eFOM7$@;>E761W7fgxCHWH)f ztjhadPazu{UNku>{)qljy#s=C0I=Xk2d2(H80eauEC|2j^ zObQoN<)2U(G(7ym&`!Pm;V3&>BxqxYNZ@KrWa!+G8`(dC=M%aZAKm7RrtCls*nW}g z@?F()e!~g3G)gfs@H5;!LDiN~FTKczWVThPN+}M`sshAxK$x8ryZqdpe+7Dfpq&G= zBRX3DOu)FZ;vYowcY8bv|CEn~{R73rbE}?kiZ#{Z&4cYmW8I#W`+=(uMLvOOdi)sU zFepK^k#D+ixp0``EP|WkqNp*?c{$=s7qx%Y7$x(aO1!*iR@Pa|#&|VC%A5VrwNL=X zh`gce@?0lcYip`*kDQ*}&~T>U!hv{CODGoic^{HTkHvN~2gvIl1-SYKX=MX_kKg1p z(gVnLzhW_xPe_r74_B;VV1cvqCWn#PvBDRjK=}h5B5HOT{%hb))jOnQnJrb59*R(J zY37~2DqSF9OBuVIJaY|qPt%QKx}Pv78tQczdrspIOhDR01bckgwNQvi-yi~4fkYFQ zO#+6X(Ko`tYFY87jz>Olio1)!vmn5x)n_+cT2H*{65l#_`4S2#?}qM#$_A~d<^qy6 zX;9PG(F}Sky-q2oEyqR|HeC30#E?<8uk4SlX*Rx5i`cMFMjAq-rCz9~ASnd=@re;y zo<^O17pq1)*O(rPmQ`=RQdQB!`v*7n!>W1nMI>W~_K%r#g-yEY6gG2nuU7-gU&=Z-oTw#AURh3NXilAa2+J z{^Xr5W`6u`b^&{ospvRdAr}*6&~y0CRoJQ!szN{zjbzll-bFi@?Gf>*n`??Kg zH59$1P{mQ~k~-@6Va(~Zn9Guhj8Tt&6jnJbH^}+JZ>*WXejsb5Qy21O!I6Bt z;w(dCgABiBWX$anQF_!nj#V=ROTSXMe}Vnh=pSMOildf>ghsPq#&;T5D4z2`@M_|^ zwe<1ua5C5h>+oh$LBsRSSB*Jo7=4dRF!9_~7xl>NKp3h)MyFz6$o16)ir$H&yy7F} zI3D1Y=P-zY{`ivKH1kfQECgR2qk_da7{CYq!kU70 z?VZ-7gWB)>Jhh4vOGG&wpqZCYQsWa~HkpO&ni$jVzMsI(S@C`1%bTv7kdmK*wjNoY){8??{n9Dt6ta7*Kv5W2O{IOe z#iXi~2nH_XCcFWi9Os<!fLZlsT+|!Qq`i-Kr~Tpixw)_}qs3 zH?*)R;&P~kw7-hy!{8^BrT~z5)Yarbz=b-^YVD8UOZ)PU3#*!<*t8dXh{I+P zjYfaX1bgYEQ@b;mQbr5H*JI{ApOyK2CQ5*o_5PL1)Ni?F_C|x}(iK5!tKCv*`m&>M z<3Rd8YXu+2Qk*a-pVotsp4{SCV!HU9Itl-@_!Xhwx)v&khgcLVR)N6x{E$(_coj3Du2r3rwhC#~pd|SF1E1fPFf)_W$kJjU zg47;F=r-CMZf|0;j0MAsEPDU)kMr7Q=*BgP93oSdjI7dxcC#Q;*xr$Llhi-uhaUso z@G56_Iey1_OyPX>Uf}|;w9^p(g;OF4W$WJIC)u-1F7ELHX>IrO z19Vg$oyyF5G`gCRPbpY5Iy^#?74O^^E0 zoLG1#JRzkvLh(izME4gb&extBa(}mD*V@7jS+97RX|EXyZ|{x8t(BU=MPUrz$^ZIB z`E>gTJ43_58UB{PSOE_86WDE8h|gAq_l|56P_A8`qRS`I6d4E}Sn(iBr*n3K%N#F_ zCEsmUA*b~fUeWanC>j3AJM3aX@X8ut@8E6S+4MYJ8Y7?lNe_2oG-oj)#<2|gZJpRZYQ#TMDM7E+Pd0-@5QoubfDOztPnY?7NTP2=Qn6n=Tk!wN1la;W6M zACUdg1kkOi{;HzRU&vbs0Z94SeQ|VkTpUB?-wtkTNIOBqRFKTc&WyPU z{|C)l?W{iFG1=&H$2=WB#Ph4d?BF31q#s!mq*nIo`uka5j!;x9N!FlHv)C?|4?)<*;fsN^}yFVA&h8 z)4cP_>c3Sf*>yaFb%Lbr_^ajdU;BglaDbyjYW%2k9hPD#|LFpzyN>7RO){h<3C;au zl;Za@yi)ONJcqy3QoURRQ>mmPj6|?>JsiI3WMV-PX9tB&3c9dWKigoa;qT6+ydosB zdYNze8Np(?S@yf3B=FLuP#Uxwf7W2|i7_)!C)8>JQBoCW6_=i#wvWyXqBkN?RC1Q)%g1BrU%yhfzJkWLphi%FFRI9=k zQaCqUDybyq`;EO~#WMZ{m+1ROXu#+{gba_Yl)|efj_fJPP#t^C{etCrA!uz&L#0l5 z-W3gQdb9OR)y^{JJg@0k=;vbi{LVg1_E3w>$3``kX*LRNi%=3#W@nRf(h#Z$ z)p1&ij{JrDc`(3+J+zm)ZcjsUz1Z_j;7NRU$l_E zxkLR2(fhwX;Fx?5Pc>(lV~C%&J`01FRPTjxoy#?6)mT)Fe+2*TH9*FX(KmoY>CpS> zu)2^+9CW%LI+DqoLr7L1&1atzy`A|fT1oV2TMn=Nw&8H z{|!JJJK#Rq{&3E}`O3R_`!BofJ<)cVVh%8=VIDJ`X>|?G*ZWOEP|~#2p#yu?7?b8hno@trm)l zm)_p$7t}9e#hHGOoEMg742G&+105@cv$6lS?=+2{b7iC;(@TYk*tz zFgB+Kg`k_M31R<}+TEf98-EYc5mBonm%E4?8jJB#bxn}(?K>t2O97l(0J)Xk zvfQ=j)4@U55N`*8zH?qMFbTm;IM&l!BwH7Q-XdZ@Wkpj3tXviCtd*4)BfDA-N(*Wx zCR)LKgd_DJ(Jm_53+WHrkC&U!)^;yX(ZjWlRCo%6lQk{=c@A%%jD+6e;qI~nf&qD%|G~jL@3-f_K8j~V_W3rm-5hqx`V)kPR=3u) z;??KpxideQcAoA-FKp892j@|wBZ%zmy}ci^3XMk3alcNfh(`9tu>E?SM#4gVK`?Wj z+}}Dj3!V8tg2+oyUY{&+{R9U)J=7hNW0lxh=g+ZC&jz_uG_RSNi7kN{YXgIA9$Z{( zY*N?RlXD3OJFCJwd3cKN?nKD$4gl(QIpE>Smgm}ds=xCP5uv}e-`~Y!LXEZs`?S{A zl(q!4Q_7V$`OvN+DEd@JY$;-n#~fqVDMA6fDu`7~L321YlX@2Kq%x|>d$ z6jq{SMn~3+JZsR=H3rV0u|uOOsvwGjr-26fbYKQdj_@JIu;CTs+bqubA75 z$KR=rrl#N!*PFzw6AnnLg{#vmQ*mJxikG{s53dVC zkOr=bfk7n;&YP>jvx``ha7935zU+{c!^3Vtwq;UVTU!Pn60!!-HqVnDm; zXC=(pc~nwts3_lUSd3CahU-wx((uEHw#NlzM}lDN(z`6pxVc7i73-Tw6Y7-|wANLz zgC*Zzt08w+*PbR14F1R*zN9+o2SXEQ!M2b?;@?5tRp%lWlnAQx;plQk1-J9cVmQ@y zLP1#5suOtXS)2-A)_IYW1-$^;RQ%R zU8JdymP76gr6eVx=+m%!^b_HZ#j!6grm&t{mm)LOaaXf5ZUe0pu zijMx`Jylh6J_1(*b@K9plt>Pj#_|1zOud=UU62sxn~NTr!0^+`EV`^C55i6YCrTWy zi9VVVWRDy)$il_x3x0kVyLYOv1o5@<`y%j&_@84Hh8JwRn70BWA2}r|1 z)_RDK&&n<&gS=|7R^*=|4*6J!c90Z%k>xBck(eun3r{W63@2>w|CKzOUS;O&x@n-L zFW?+A=d&+f?9$Y%n)SnE>FC&CVH;c8VykpAUxD80Pk;yTd0U&j*z>8sN1NhEM#c1d z1dntSJISw*a!lE|w+X@9?)2kze&N3Tn6#K?E*IzI%$Ie8YBNGKL&;BxSgS}sAiEKX zq-1(7ZD~P2evd)Ji-WXeE31h#scUv^!U@F8<_zU062V@|^6(g<5KVzLhBM*dELG(4 z{9|wz5n&Vx7d_QG#QCmtR=EkZv^Ra-p9a-rXJZq<)@^=kS;E4nt95JQkY*pLP{xU; zj_9YO{&GFkB>E+C{xR?psMDpf+1q>3B3Fquz)qORP-B~K~5o*Ay)G7A(5CTVmn;juD_F8>d&X1Cel?wSRA#mA%rcx28E$nr(r1Zf&)79H4e98-O0cG- z9pNcm?I^?X&9`dkIlmZE<|0d&m~PHjCc#F5&pnczJHlOPDAv;}m4+`l z(iIaEGsS)b6+GS-*#R(r9#TC#Crp2D4s;zDUJ-@3KAp^1f5G}5NL9XvFC&nqcF+(phoGSh%GU;vBh{jvWt3gCmel%B*ni7mG{1eXfK}JrFFwaV^yxxxC zaKgIVTR=Ua*vr~0D_wV$P>Ub&E2^^`+~4Sc<}}R6DiwLvu^Ry7XUZ4StNJIFSh3(4 zd5tL665BMJk<-z!xqtY*PL56wU}Qv}JkAVf$bnT$AdtbHt*OP(don-h3W|*S3FMl+5?4@$7qR#rUbx{|5}Fq4AqcV;y=Nd3sCO zjFnuNmUC{q2o9fZEj1B$UI74fwG@?ux+Ipq~oA5m~)@-Xo=dCen%!_!gA ztzN%)qcHcd{aWH+LpZ77G!!3&a8t*gnntX3{#4H-6B(jV=_7uvV{uMv>x|3QE0NL7 z;c*9@sQz3AP4!?XbA>OFutVh<+|zKLvT`-*+Rp1j1btO_4F(D6i{RxIo87q^=z!A~ zwN`@Qi?p*VC^^m_O+vYO|7*4)$lOSMsF-MAGRPSoFbf5B1M>Z3ZSRfd(50vFPHMwg zFY(4mwg$h!(tW(;0KU|`>b;3Fr>qK|Q=(*HWgbhfl9=M+G8-LWG9a|P8ny17bMNkH z!o~yb`1m}c0}C51T6{H9X(;z{9vQ#8ZAU3w%L6bqx9~>V87R0SRX3J$beq}w!d_DQ z76&w!&-%VL1qOlu5zjEFy}kJs3|R{$Cyv9itDp8sDMWWL%g4Q!)y^k7luU|^_ubO) z`U4UO+&TvgcP(2U8%Z|B)+Hpz;dV;5LBA3B)X3R0x8@OX4e))PnXsdz?pwnr!}ktk z!hAnr5?~+`6rtWxSLT(2AV>-~z$n?XcW6e)gv^Li6cAhKHP>HlpBux`9f~nR*R|^5 znZd3POG>F@${#F0tZn$}E~lS2w$$%!hOoVHJ?_IDo(^sPt@Ao?^-O6T+to?9Zat2= zAey9Coloo)ysWL+tJ0YGb`{CE293W)Z{~C~WMERCV#9^*V^G0U;;?JItgg%Pc4>DK znJ)SiHpBpL0^V4R(a@?%)q;8V&#E5WxB1j7TsV?8N@3ILp%HJ_m4j!eL|NyDs->lq z+t2o4vKW{s`3tr$>aQJ(R8Hd{J#NNqziR>+uvyT-c z?5D>8S=ld9qyGp1fb9OIkJau*@lM;VslPMBp?l0QAvtZnKPD>~36Duxib5#_5X0DH z+S=M3{o>ek6#Rr{$+m3C<;)fqFQF?blIthy<*m;WdPcgRpEV8xJA`9t6;BZSRVlM) z^1m9WXb$B1ft%fTQ3DaN!NPu+BZ?PWWioBSjewNJHb=ki#SkdckO#qJYmto=Q9BV~ zO+U&SFADP(cJ}tR`agT45Tn681*e(FUEBoM)pT@pPIg))>=2y6@Z10R)`UTQSoZ{( zmkv2AWIU#3Saj%K$uf-@PEEtxbjS$NusCi1(hNF0?@LL^%OOBK_n4LRZh2ZS4vTJ` zSJ@Jb6fLn1R!OcMUT4>usX;x)*z4Jt}! zuh|h@UDZ}qH*d0Gu9Ls86o+xlNxtz`QSWjrOHZf9&fXLSF@|Y_pevjy$A^ZA$!tYCEikeHW;gTbW+-f_5P_D?yHtbmHgPmA)pMCi#RmYVmg zB0WkdtOpVtTu3i+d|mJ@=cxxpQt97gQL$b`L0Pvjs3uimL3#9Bk%GuHQ67>zA5pJ` z4_*7I5^`B$-PE%xUO1nPAXk)9OG9h81OYL6Nq|%1ZvBNl2WD1*EL2v(BuO|nX>1%N zp9`r!LJ&D3?a?AqRXV|TL`4`6+z5+KnRq51Et2bZ*oO)+5C#yw8dr)HOS-}OC%w|d z{KD&YzfI>*8``IAVUEXi-4m2ijwN=v#FV9VF#;U{j+mfEax zZo;(6YB|^NwD|pIJfCd;w%05UM45OpQsmAvt49N^g%71yBL%`!&sv|@CZs1>nN&gE zLTKJkuUUByZd^7fcXr;lBRRnn1+G|l=brgF0!aCL;#s{|J^-}4fsgEGF}KNIrqg3? z5fk0BfzAgGW4HkYW1(vAe4`}#I|){PO5k|T@#hr2r{sb~8UMOa%tgKIo*K#UhVH!) z{Xe#Y?pMd%`CLRsVY65SEhLarWGrjP?<;;Wf)MBj{P?R?{-zGy0%6?fwv00-Ms}2d z#x7>K!td)*m;E@0STE{k!60O&UwIM6`?()BS$}5wall~Zoo@?n3Tfl)xX4->Sg~y* zmBmd-&gxj#r3pLAkzbOc;Dn7jgY4jBZcs+g6sIz!j)=Q$2oWWKoNMLjW5zx*Y{9yO zBkHukNMU!~eM(;{vK-WH99of#iHYS5PRKTsSj!ANju~;IF?Hy#{|K$0M!QMlMLXqJ zkl?n)A6zgHF7lS3H@JEOxadP!sZ&{kX?0zbX1Z~S$DG0`-*PBIXckBR` zn4|}j|Lc7wx;`Fcex}wm5ujD`AE;v*5C0R!N$n5q?-JlK%^04JX_K1_pb!HfSbKOK{uI6m(XxYLR-FP3G+UW zHiMPNTeb~wc>c%aW&*+L`XjpV8)|e3n|gSsj+~g@n^tj`z%Z66d~U6K2AvJhvVhW4 zv~JIdn4r72DeR279oVy{Qg(!3_Ev_d--|WXJyjAdFA+GqUl)1aqHL#x|5viU6u|c4 zn?5)Qf-Q#J?RfO`7n}AR0cmIK?Y4KjoOeZpkXQ9i(up?IwdydS9A+sdB{sN+g|;w& z>zkwo@6RAsV!EkmOS}{I-D*e6n7)0z)W!!SEv zi~cE}fSK0XnQz(5sfVSc&Q!U<&JMs+ybiE2G6N9+Mf@?6ZML`824(qU0Yi_-_2wqgkzLh5(5swIkmmZrdj7 z)eE*!B}Rx}ZiVN$r0lLcXV))zk>I{6{L!Omk39@qmrdI{dYd`++uJjg!NGD^M5y5* zP0JDjn#m}pkJiD{QsPCc;oS5rdGW|QV2YRhuUb=o3~3tS-NZxTy9TSpFb>iIzLcr) zuTp>uAG|ZBUS5LOFSpwFYAu02^L$$z=f{P#JIgIzc2&~Pd28Wh$Li7@&$=>&H+sQj z1iF+_1#4eEYZ3<(70Q*JKaCO(_*?M`=P{|X$9g;|Q+_DViRtGby8k^<@tOeM$lNP< ztyI<}oYjNM>M{_Xw$Ts{0A3 zRi_^o?e6MdCMX9om07c@H|`-Lp|ZN4tm1P=OGEgRC22_Adk4-E%+W+e6WFg|HJ4wM zMI$9Fg9?w(@NBV}tv6NpF0ka_1u_fo@qm&{2^d+g$7*~iZz7*6M6JvP)y1&InAjS_ zcDS2J+w67|eCpq(^UhEA)=Odqbsb9X^H12pK09smPWwCa)Od`6$Q`hGB_~n!{Klmho%+Ga9uER2kJg8Id?@ZTkB)J-4%?ypEF1_&6kZilhg$?7o>shQ*EDp!U@9*0- zV;AElK4|X3mcn}x2rz5kAElgok=@5j@#-mU8Z#^V$DjAh@^>b#xFf4q$3Nz#(>@2p z{5uJ{`-;$;fgwtU*@Wv_iH^0iyL2X-0}z#rSNN_82dDXzY~6(P8}sKgT@_hg zNCJV*;Do%lD+9`q-5+x=_|J?Z=DYqne(IrVJ=<7(#@;`W!Jp+AEKIK_usG=NFJVQ^ zRT+9DADq_T4)n=RKV6cLkYE3;-YF8Cmsv3us+WFEvR^;NH*@_jdUtF(8f^bvX-}8V zh-Mury)nfwn=nojV$KP#uIa##4iMtH=9rm&XRtq57mfjSZNKZ%6!*Y#3@8c*;W{*n z_*CGXl<~oL1=WoL00)-Bq0; zy~dUg&|%|G`;0*Q`l!T?#T$NGsa);Ivm4elJ8aY&iehqOXO>#!45t*LAKzB4ORauK znw0TEAayd|Y)?v-nr^n%slT2@hbVtytfuu-rtt%cGFs)$HuzBHr)%p)?K+m1TKW5X zJq1mMq!gDXDm+vRz8_!P$1^|>IOp8r``N|(%xM@23}2b&0X#Lg+8u~3Us^SOZ|86k zO58>mPlpui<`v5^^6LqK=J(cx)omt^rf{~M4b+C*Iu!wrl2<|M(#tyST=G)}rDqQk zAiY$c5L^HKo=5=`sDt`XtqV2zMNb=HaE|l*P_EnjUQIWNJ1*{a?oZsA(_nPYSMkV| zUi%1-g440_LXje8cqtRZzW5w_GI_GgXa}da%@ay10KPP)BN%Q_hF|R~*SI#tA-UG; ztf|9l)oi~rd~5P?Iv(r7qaDHB-kzV}_lF1ZLr%=U%tk1v<;W5@2KTEB7Ia3@B}Ru5 z@@eT2DlBs!ba>tGk;H zBx|74r8R!0Tbm^bhY|IPn~s>Fl28LnKYx0IEh~jO0vpMRV8nHAOVZaDn{D$tneFI~ zE&F))q`jQmQCJ(<_1rz>)kfA_);O!+{Vt5ZN{vP-RWwuNe`{_{rAGTDU2xqkb?9w@ z?d$8iqFby~uf91&J4G8g8To>HY$|MynV%|4!6d8W9skpuTv6vxjTCL;K={=1CElt- zDWCjyMbeA@xN&FF)~ZpD%H0+;dUSqi3g7o6u6Au-;_)1-<3{hNXUu)SLd!>IO5hwt zw?yE~o!+uEI-{(ka;@W0dHLdZwCb~bS_Q~_jf^B4{TCffkH9})A62;nxW?jt)m~{6 z{`qCIhLujTd&ySpR}25FRgwd~m7sjqW~KSIb=?z3)Hdd@R&N)#T~MCEIe%xVwb01D zN0n6p+9b;|LiO;n(<42a`4543e7homIbILgv}AV8vDDPlDqz#kZ0am&1X6-y*8T|8HMk_NZgp|Vh8ozR;6X2;aU8{>an&rl5oE9O2wY9#Sq|J2G%l=_;~AxFOkp~wwdBBTcxV?wzIOVv9dHD`x* ziYIBCZ^lYkE6nr^gXu`_{X=Ta9LG)|o#)Lu{Kz~~jLb6FI&_IpBER)T0l@GKvoPWS zGV$KXjvGG~{_5Wr=)vA-$CzY|pCs$1ob0cnR?>B$$gsZ|Bxsc#E3=vdg?VDL0NIh!eY>it1sY~ zMR1;a@u~Z3QZOb*Nh1_6Dyu9hpYvm(`6X-lg>2-#!~jmH=otC~PCk1j(ca(Z`*C`h z26T@FcT!8t=iTjGymmvHH&mO|9$D-<_I;&N!T*1ohJrJBE)F%Ul5 zo9jpo6eUe$&yeHgCF2?kPup_dRycc=!SdSUN?a`8)v_+JXyEN_TDMq3!}Y7Ubtm%2 z`3Y6vk=so3K=3~{-l7_?&a?L&)8;rNV`(UJBzY!1Y#tNN9BJ_368Gna4g6D8+#WnL zOf&Xx5EUyROVFMPszb0BSD9)QQRtj5fL7@NcYi}UCyGMGab$c$th=#n;*^xyGLMku zug8~}+5-3XsEuWlj7DE`W}C#uHLk?Ia{VgDH1g3U>}EH&pmcpE z1O&7ix&fN>C%j4*5)vidn7Upjc(ljFi642{V?&3G1Iy$1YA%Gu^y0@wTu`)k3>ci| z)e`$zo$&nBWr!^h7Va8`yhL$N(Jffhr)~uCsUe~?XD_O&Uj&viS)0v6{GVg$x4P;T zeEmw){6(jm0W}@12MVb!qG{6Oe{PCcNY$BB+mbSD&W09Gul6`CE9g_=$FvuYd#bM# z{ME?PiC11|cZSxgYFmrrJgP=LTc+c34mCjWCrPdroO1Nx5N96>!@5qX(Zcf6KVFGe zYa9$A6P3dqju}R;5b2u1lwNq}?0LJ%UuO3?o0PPn=-m`1O?~vQQ20?$Z{Js^!yf|!|A3GOrbMo{*D2q(6#=4TDeh^-OO)#Hd<>sA)BPnw)j@Sgep%xj#{XkS zXQF(}yW0HazWnjB%Wsg4HC|uy$iBtrUrF0dMxr}QhJH#(L-!vOUnaH_aq697;taG) zrjYt22gLwSe0A+cR-?)T3IeIta#JURm;cBlhT;2Hue%H(k?OH4?%Y$wMm%wg*PJFs zQk$*(uLD_}0g2k^cDVapv5zf+R&4i{tRcML;@+O=h3Co1rbXiRPitaED>tTECY(>n zwtftczOV>%S{`b1JHF=N`&GIKS#gAiwZ>=o>^hM-h+`=}+;pec#`|Z#(nO>e&kRJf zeT?P8_o2?f-klUK#N)elSr_UQuOg7tIn#?l=(>V*8NYLfLuEhTnilV|Mef$!Cf7rIYKp|oZ4 z$8Fl%1u6jOGhn~8FA_Rz0ew;)u4+lC*_Kv5=0mv)JDmv}(3GXz3-#6#;+lPO95GI( zk+G#d{`CHQAIsuu+dE#INIR7C81D#q@TJC~@mfrg6$)l%+QP-$DBH~_(MqsWck z70-dMq%lK3%M%~NZNZ-NW-ivxg4w8ICT*JbTe5-PqraPWXJ%4`14;9^gHE}TI?{nf zQ499c^&gY30wup?4>_TEaMIwr`qKeI8^N97f=B+V9P74nyn+R9XzMt)UL_m$Pb33- zw&dpZzdE?GOzkGTUUoT&cC}8*CDrhg(qT_}#G%y@7SQ%r(QU-9gKN@=QiZ=47pEUsIX~w^j`YaV1L{HVOaljev}ALs%SB0eXJ|#B8xG4hRQfqDKNE$ zTM+s_olsfCy+un z38V|COJzaj94~{7EXDAsneZj)Kd2K)o%76%aGDAa>X!ArAnmZk~uu z0gg&|DaN;e@(#w-v6Jm5K){ykO|COOrf#Pqx53!SK~0C{rZqK8Q6Fh|?C0|MDDIMcCF&>Tj{?JFq*y5(6U$tOz?jcEjFg~SvM$c*6t zhihdBrI!y3_<_B#Py4H98l+P+**KaW2%i>9iQE7)=E(KfMMpJ?|Ys>{W55uTz4I^IasIn zNd?8Us{w~?r)*25r|=TnO=o{IiY?#NXemr3i(7F6L7nIZ0%r(ma+THxUB)P(pgK7A zqlx1fn+^m*7c>b0Br2YK#{VcJ7b?`B4G)B`B(}n6ssDZJMb^2U7`~K%gXoStW+shZ z{o_|e++m!fK^dZ)&?Vq5k~hOrVSFJu=UXJQN7Wuq&x$QQi|5}jyueeS-!#nay1{@t zf6y&F$IM`wpb2VPUH?Lw$YrMZC6ZX!)l@N^=FuABB;M@D=#4P-j8$z>@ia5$yW-L+D zFX;Zxo>lZv)Q&37w_ zlmVnMUswL01&l8Qs|J7h^8p`RtuV&Y*>H$_Cd`01qPY3OCyH<87u-DMLES)@k1mfM z!Rhgz4hM7(jzPw+-X2J8Y5>aZm{JqpJl&<;k6=qa|oNo$F z%XgF7J&Xt~3hQ71sWE`Y3};NVII;sJ$$o=Ds+Th?I}*af^`qJ*1$e@}6h+EK= z`kTr%6(P=xAn*KlfNa-)R23cdvh8Qo+!WE`%3h{b158BcxpJft1v7$#ZW}>yT{plh zWbx3vs_sI7o+Na~kFT8j&@h+bdG+d0PT-9I=Kw!et~<5nd7833?<(Qewx{KcZP>~+ zBcdb<+l732m<^ihDr_-iU%`>nUQ~cO6on%N$a*2uaiaT@R;@UPRF-17uqv_gLFOBhU9mMPYruS) z_Fzg1g3FngSM}kdmcK|7!&T9Lk`Ah3TS;!F8|@$pJ_=RgwwnV#KRnx^n^Kern!;dv z{Imge2DiMzY$3CFyg{@H#`03_30n4f-cId<%%|kbn|`u->YqC8%CBTFLGIpg&d8_5 zdz7z)R=lpU)L;`fBB#eZ1%!4Pj1rrhlf5k&`Mnfb&1w(ACUWd0Jg2i}?wK0Mwus}J zN9*-|ckjJL+`iWAw!!{*{v;>83eE$S{I+!5D5~>|zs9Kw`kDm^Yk4~Y338~$(%6D$ z7l)=D8?Iwuw?o1lB6f|poooM4-!E0|?&dm8l|^XL_txEz*Bc-7`qHr!vjA=BcaFUM zK%JU0X)lfJ;{e0A?t zdUBbl&mwsTxGY99qw|{4CwrtTLw9Pj)5Y?jy&J8U`dli`)E)fUs}s}2I^S1)ljI%B ze^ufbV#ZD?dY%D-4U4XOC`VQfUaN42pHcTLt39UV~7BF0g>aEdxVk;>froB(dSp~+$9*ryp zKMXf&{zfq7UWBh$Q0CX|;MDaWn?gkwHV$%O-D*}B;>F3MJBdC;n#mKr1oUdQ7mho6 z)-y{2s!TfLj3QdOyejQzXljB-szY>jBH4eP2&LvFjA5?VRuz6wi0;ckt?8@4g)C>W z%#79j{s%s~fOs+e+?}54>*K9f;=jy%jPLi33m=5IYG@{m*+~$#U;3-h&W%O7@idU; zbIz9$$53G|ky-@qgBeFA#U?SXY}xSt>W^=d>|7mGuLU-d^s3j6nBp$R&eQyvpkPR5 z0`Gdnyw=C$WIsYAF;47{GCVK@|2sjJ7dxth*HZn2hZ zks1#hzXHk=^nWtxuI;NeJgNsq#<*QA`15VtGy!&^v zrHi^BnMt&9XFI|@=5R=SYyZFkKgme?^UGTOQ>OWT+Ud8*oW0HR1$LE z9k1X;5OpPK1T7npg=RO65J8Zn6)B%=pFznYvyIFt*>h$R!orJoUnt;*6sYk(0HQ!$zfxOZkMHxfVZ zb+|WwXi#;s&h)Prr2g@c*MHib1mc2$|Ja@c0z>}~9_aZG`;oYKx&Qi0@U`)wXniSsvaBoM}Hy+_g3)8i8`g@!BQF|OJxDkXvid);0KpWGkc zvTHA|NOtr5#OoSn>Jqa*KlIpwnIZZEqs`x{v*C3ZxVxju

Yt5Gx< zb}9pd$^dw7_4s{EMJDf%T+krg`Lf(<0(zJrKUbM=c{y`dShogQsNx z!!**Pr2>cIy+;}zaXYe1=cTq8c>J}H2dyJgSWbCZe>7n)?(@KjGfz_|>s-O7k>Wdv zl+Rm6$XdwG+N7`(_qlKK^|NBJ>zLnI@Qd?ykpszlRQMVz{E}-pE7Xgxo|e(1hb?{| zfAp?pWE0CVZ|jd13MJ}0mPnAS;%QGVyo5EhVtrJVmqj%{srt=pH^mD}4|q7+ zBNz-uHI`p6xZNTZMQuNxglM87|FyzJ69d}LU9DT7RO2<9iw2sdqR8#X-xgD_4FWaw z?^lc{p6fSa$X>-)tvNc8eclcEdr>=~u#L~Sz`=PSYmHz(?w{AOB5n)q&pjH6OIJ?I z3xMy?A_SQ&SM&8O`Rlm6Cz<5w1w_89+S%?OKAgSer``W&qsI&E|)a0|bG^)6$ zTgNk2Q=AtwkxS_g)KmK5{O0E^rCLyCuNSYB&(6BKu5sRphK2M`m`jkD7(+8a8Iu^ zOGionWR37{R`uNrH4&cbrGl_h&(@dGi*A2kog}gzH!1j8Y0Gq_wanMpwi9bSKA&k_ z>0H0}*$7z(FJRT!rTXJe*)Ux>D9cP2Z5e^HhIpc1DE+nFVkTh#q0EGH@w~d?StCsH zZweEEgEz85PL)|#xscg*D=ZJvsab7Rc8;tO^Jandpnpi2d!FZH&V|lX>5;7iq~`gQ z?mm*|2$=6h&9>@j6s=)3wW2|X?6B=_POt7J*ntTvOAy12JaeTI8Mj@UX$ zr;L}w*`PXW|A^+|hJ3&?_6%VKz3Qy~^oy9!BXuLZtWcMbWpLijpuT*^_rjKYINb9E zn8emY1WC`0&nghT>_|JIp0;u~;cYi`%rt()hzT_j*^XT0_4Ey97S!w#Q8}wnS@L(=u3cD8- zP(-)OiXDZ13aL>kFi23!AFq+W2nzS2R;jICL?enybGBNH&O6{79Bpb)=Dif`Q0)4l zN_ivW&&G}wXIAMEs?~kE@Xlwz!K*9rri9ijAI?i8L!wVR@R9yIB8r}@c%iqkopmck z6ckd1Zm_`zoe%v9Ci$I*da-NXg?+O)I9?4Z z7{t81$uj6&oLOY9d)|YjFLdsnDc(I>2wg`H9NkO!`yglcaQ^n(9NKQ5{)a9p+kxevZE;tIf_7lZyf$zZ>qBI

b}6a2-T=O&;ml z*h0R*ZR+N;_5-2ddKmn|0q@=`DOEn4X60Wh7*X1;emTM0ZBY70j0PXEF1pJgG6ViZ z78Ig$HSt^8!#n!-5rLv-yV|GPy5S-jt794L{KPc4u6C|>V6oYc)k5DxZjIh9!98p> z_A?`%{T#<1VSN*jQ~1~U^Z)R^1H?a^f9~Q^akn+Lw~MReLo%%hLoI06E_>^Oub!KVM#;0{~rYclqV)uTS{@Q;9#66qOP? zJ#nfl_?JE)idF3;q{QTm9Db_FA*KNUadL8=o>Xyna)#SV*_qh`z-JqE{=VZ3eEzt; z210S}zbg*@^)&(tj;3%&1P!J?nqdZTD8tPy5wP8vgb@|shyoQC2L~It?dgPq^DmPA z@qER<+nn~ZvX>egjOQXLy-T$yt5d5EZ3POI_D9G~<6)(L}@DH8-vnhE0 zY6;F?w*`WE{l-UnGT}oe~$p*U#It%(CU9NByj)B zkihdZBtZVrlV3yW|5-@*Z(iy0Z%F+Ab-yb3*O>o@Ib|*FtP%K3oDri0Hy4lxh6qF; zAcPm;<2*nvUH}&e0^~g13n`+4sHJgAlS3Q;$Po@SvA5+gcC>eMf^(?LN(r;`2pT!tC^%Z0TiWr%-K8C* ztn4kdtmHW5RE42(9%}Ads#^Eu#ni2}z*25<9_m&K5=szl4JC-Yhn$-nSjkdWRNC#d zj**=_L{`Jp!BpbDg_e!HysUatIFZ1aZ)?asC0>D2vbTUafIk~_AmUaMXgqF;I zxs4&5m%;?&;RSMoequU<_IqH0Tn-cHa+tVzfSiy&Fr7pDJupEphY5T+Ok7+*2=phW zGibjDCfMaLK`w_01_g3){ls(z?f1aMbvaDX%VC0ofxJ9FF`YsCJuq=!4ioHhm>`It z{gcuev)_Xf&*dm_U5*ln7s&NeXUu*NOs8|J%W&ek z6elPz7Z5Qq`GeCLwcmsj=yIGcmxV)lpg`Eqk?x$@Z^G$vX*l$9X*iS{4CMJa)SXlN zO*maH4~JeZ4~KGrfZ(5)&Y=A!m@b!xLob(yL&01?u5(U^=`s|;^M7No6a9aI>2i5E z^m2JP6a)qGLVsd9gZ7(nx?Ca-y<8#=<%9siTt7LTQTt6eT`m)cUM>@d@PdFa?w_2_ zsQo6KE|-f#FPDo$xOss*ynk>yr}mq0x?DC6y<9d9;X(ic{p55;?f2jWzFamAy<9d9 zfk1#038%|t5STM!s&9^IP7xSI0VEA1pkcV z=hS`^PM6EZVVBFs!Mr>`7|%~mXViWZPM1r^VV6tC!8}~RpTpfbwBH2N<5STM!s&9^ zIP7xSI2g(a1pOTC&Z+$-oGzD*!!DPNgTXvN=$~QyjN0$P339n?9Co>E91KDnequU< z_M2e3Trv*3Trv*kgaJW+j&`TeeiKZW%f-3=@&7FSSMQzU0t2|tFZ$nn@0`GY^=7$C zzIKi4e4FV1&TH2okiS6uHBtZfkDP&^yl1a#bNczn*(WU>`%x|eZ|oY#Gyi=>))wZ$S;ux#(!5EgT`$Cmx$2Iw7=Lcer&&MB7 zxV#}!pN%0DKlmvmX*S#5_H%luYk!Do(PCqBQh(B1>?lC-WAmmCHoCWFV^OI#$pZ?h zNILOs8&?5}P@JyqmODMG@OR#aarNe-@7#PatqoY?ikB9qg(6W~-V}?perzYn$zI?o zMQY@Z4xM7%Gvnb2Cpl@(+6a84(J(9FkIe4rf;ztlTJ%;@YjLlaGa$Y@@OdXlO|D8c zELPG8FE@Ai4Qj+IRjnpqWOXOSb&{OTdgHk?ldt^=R4)$KKXJDh~>SpaI^Gb2tVnon0>J{IL&xV^ja zzUoIX?dDPpE9teACs*3&9k&3Fk4ZZU@Q~sNJ3l_{=ivO-wWUNM)e^fEV;^ZD_1en9 zAbw1SevfKj!#~I*W1xkI_}+b-SlUSzjn!q$4|&MMuThfkdR~`+6he?v*&42lO3G}% zUqCTVFhm=fVF~#h6QP*3*ZsJe<{K27l$=ZLip&xd8}w1LaLROG6Vl=EJySh=0{R%b zLow_{WtwQkZt!EHu<0aaS|y>n*3b_i{}UsU&THMxPjSE*WX0vQ?g>QUE-b1kxcqx% z?TI{0lF=9o$yrB+w}{c53L@@UNGMK<`h}Lg_si_z=ksKHm}SCYqs(*5-5Fm2*h{S` zAhN>Kh`k2y3~Mx_6jktDZ+cxlJ0>jA*RP&KEz;zNX3nSj*}{Hq6Rj;6jT=AVB^Ue5 z*6sKM!jVzru{X_XiNV$jQX|7EcE(-)W*=S*nTWZCllul98c3E4ThOI3B}%By@X7e* z>SM}c9GHhvdK^90^T^vSWa)BvDNGlXf;QZ_!TB&4HCjs8;!BRC0%~8{nC{ffHSGtY zeWpL?*Jwjqql0?%HL>j95)Lk;tx$_nr@E|wb%{`w>a=0!sbJ97{07(4d6NGAosC7$td=_ zK|m}=rQyqO1;BA0S?J+V<0y8A?H6>2OXkf$*`{5Q&aTd1m^x z*F-dP__xinttvj4>PA+{>DnS zrnc_*Og4IlQ_4nEU{a1J(rp>pM<;7S=L-zIQlVRR?zTNH*SLtvm;>|F0P_Qo+9%^5AAjhntvFJtSH?L2WvFG; z*lCi~6uyQ7JlN^@5Tk^sjJjgEM;L{!LhKm6km_>C7W9qc+Si#mlN^g#_G`Isiyay% zGLNOc+q?PVX|hM@->RPKHJ*%u<$B}77*`$yR0K+(2XQ>7IEgAE zVoN9zr)KzJx9?YVhzTvbAxIXbux^Kpd_+wlgEDnCCOG}=;SH{T?5O`A9)5=W@$fSk z0y#~dFZcBG#lRybs(LZ({Q5XFV)Xhs4sr8>xH*3vh)zDAOd;V)i%W?kUAb}v$q?}e z>0}g16ba+%RrIT980hHe*REk;UMIl5j)ird6#pg;0VNqV6(t!31%M972%u%VMM1&D z&CJFLf%1x zq5g$Ywpt~IInYv4q;lAanMs+!V9FNC8ruo0R;931rbuH3g1c4%D`*-S7YXzi-=I*Zp3X@y`3sGr!;cyMOonyj`6{wAD3?)WVgO zCLtJYC1q`;w>8KF1W{5|LVx7{f<_6WtfHzmOkG1$3!G3k3c)BTD`QlYRaI3~z+WT5 z-w_pURUJc12Q^)~->^v`*eTIF_p2K@mYmXKG(0n&>K_`Tp*ebt{ug6$CZ>1-(Q2CY z^cgm`PG6JfI=fJ)?jD{@FK-`Kz|v)b-v+UR!@dt+v-XFGbw9?&ZQimqp2JP%rSNy{ zPE8YJ2}RjCxp@al4~feTA30iHQGL4R%-Py=b@h_QrskHb*RHqTxqGkee*1%mk2-$t z?s@*=m)>9d`r*2i5M?F#&j;6~4c3KGQBhVI2G^y8Sqo3lR#7#yRMT;w5AzGroirs{ z9qYJrf5|Bgqp6H%dj6penxl=a?%;lgOG8)oaSMz2ODj_>Y+zlj$Z%yP0G_foG6(7H z|A_xB_Hzu5f?ErjJ6yLYkC-_!Wlmm>e)-HvrZcMTB-f@zvSwM2A8yq(`|CH^N8{VM z?SXuzSyw1U5YcutRg|)A=6G(f?Q=q-+c)1v$Jf-0kHrf3T(ONKm(TIn0SAOiW#N?w zgrICgaMCp=PQ}lyvKG_flBn1prrdDuInhgd)N2Sa67vqfgihDKLshCnGqln0FGK zMS!Ogq8N+@`^^nBioGh9ZXd(J@5B6w80jtGkZNb2!wWdb=NKvumH9Gf*`kT;`6hdh ze_L1lo_p#&v?a~q-UCD!3^<=H97yn|Ij(~M=X09cbpQm84EH>|61ag11Qr2s&U1vA zYJiMJa5!^p4Lqn*L5k{dSkxu(tXPx-Pzs!aL_!ov2Qt=8=_6xU0iCROFLNo73gmPA zQTVhLW`ozoVoFO6&l11|*^=I}b zQmhWS;%Y9M75H3hOQv6qv<=p}@GN9TDsxv7k4_E>)1b^3?t}QwQvo6}s+G{xiu}j0 z|BU;`gin8VonXTV-Q7QU|F!lI>(ln@e)G5X3}Lp0nS`z?3cZnN5w9BTMJC?<*G-r)7u?GDilc!dG8<9zy{s29%nQ&@AT<5F=3RUSw?-Tpr=`=6!$_rfFGoH|o| zy;TA5aAGvgb0@RaAQ8quB2=}MYsg)Cgq0%QyMt{X1N&xRVx&#Hd=6wP$!QP32V`ju z!wne{QbGO?Tc@}gZVX>`<9#5 zp_ua^=E9xZriNP`q8WFKxt4(|vjs)+Es?+cUfUi`|r4Yi7eiRSB5njQX6K)MBY=Avv?8!kSkX;TQFgjof5Oq)`%yEYB zV1eENy|4f<2+~XzN}ZsR{qW#AtOWn;@SNr3M$@l4ZWP%pt>pxKe#x{E4rcyuo)`9d z^9hmUTp^{Jdnq~k$j;kR^920H2^hc5K$HCk3fb%nz+H10YR%gk0D`3C4I;xoFg&WN66?(}md**6R&%xt6*XVNi@s;XX5<;1dg7Mr_wS#%DV;n4(H3q<3*C^b!D`j*Z_5#wX?8Z`+R(y z{FWEnAEh_-nl`oQ<>N`_mtGl+XxSk7b(5vp@+FOrnd)OSZ8N$eUG)MvJvUa|%5>7t z%{PzX;Dr`L=iH|j`Rmv5L*yEgB*N*f8FM7>+tCZAOsFWk=sNW>@CnNjbg4b{5|`@% z^s62d1v`jk-_rXaSUza~Ep6lftxRGUopL^o(M}KQ&D~*YrJHUW+HY|!sK0|iw73bg^M*n6VyfvVKm+2x(gwuY5!mpof}sD0PzzW8O!M#Pn#!rXCoznSUI z#0!p&13Yp7JemkrHhk#r`%{Ypw{MGt5q9P8(`fR>j;qtn4%%fy`3X#Uz^emva`v@| z;n-C)?{#hib)UIe88(Ru2Pm5c%N-y=+yM+fbR%+~V2C=?0oI{z1Wuh~9SBuL<|Z0_ zt9PvPANyFmzDb1}%C2c^YYgU=jJOGSmu<+F6*n{wAPZH&yHHhyZWV!grSdV9@_hUi zE#0I1TBg}|y+0LCxJMJQ-Gg_H)4dg$5m&`Rs@3 zK0UNMuc|Ly8aHlPjB0CsUvfwAI((7ZjpmGgDiMyVoQ8Td;nRx)S9is;4IpRW*qJ~f z`^G)K%W_UWpIK3MiAK6;$aUgd9isNQEKRzPk|@5NSD;Lwy3hyl>4Ls;HrQ;pn) z{v|d6td}N^T7SjF=%~X}&pP9_D-=@`ZXxN5BdbM10q9^L71;QFs_3{<-p~9-pb${+ zP~NBvnz~|8B0&)x<@uOIO?N*kbb zzG-ooH?v^B;O5g)|8>jj;+!o#I+B)gq;No@ZT&CPGB~8@%8tts#wkhQ`}hY6QNHgj zQGpK>qE1)R!#L3T79TrCbLox<1BU4OvIyZ6m(a6(pKsV&=R$!c-tF*p4~ZE*AqiA6 zravq((%JRLl8FlETIggdN->#ue=>%3H%^+^+eO%KX}tQ!pURlV$;l45#04y(q$GJQ zAWgOlgbLCK^Lu>aMr)CA<|uP;I9qTp@Y$d*dS|!8kmN*_h?<^Q7cp^jX7;a-43a$0 zE37%Y$ofU@}vuX@M{)29~1?8;l?)Erf^C*+AFT4T&xkgT9#;O4n58q{b@&;;A!-9jzupVTXX+#gord=5 zkP4PTvho$B$)e(w2G=_D296EDF+q6I79XyApwp?$RKw{nprpV7CF~2?Ybl}A5nyG@&n_h z@CNnJjBr-bs&k+i5HC0?h9^Kw2wMl5aA-@YaP9>MX>juLf$g$EV|E}aClwZZgn*yL zchCna^u(k~r`~As#_GJOqnBrh!6Eq~E+}O?jueNbd$`D2%P1BVDvVTC)y$zaLj63A zLPpGGqd=(~!OsCtR@69Dh^Y;rf=we-77#bCee>h(1QIowkzP@q^I+4%S)GSt)F1En z7P#eRA)3{N-}sJxutrzCV>bJ7-!>KPg^tD5(e$~99uDiJ@mL5L#80Q$pMlH;r2Z$h zXfYj+%(Lq5@3^&?rE@f$;v3g2S?G-FQrVAY2d(06wx!`x+LJ2xB+o0_>dfouXb#&5 zOBJkRVqT46o{o|OHer^k@*yrdlYwG^8Xq`ORgB@J!&k-Tt?U5}sbeBr32-k=_w6Ue zSFY5lpR|~u%(0%EgNi!vH|F0Z;UF=l2EQ=dn~pVTwQ>D63j14ASh^MEi4IQHh|*8J#g z(3}AobnzSF`LMr#=&4?;hs-h9*6HY_%O(|9RM3LDBLaH8T8c$GQ3lb>c9=mzE&G11 z^$a2;(tsh7PvbBHLw)%ies_$_E=Qx9gX$D?KWcDC-~-R_$ae!cY$ha9c5Ey4F3lo7 z()+od!?nuM0o))NkyJg9Ow?+MO7%^D_oL)gKW5r z0N%S{B(kYB{02~>#TAbDijwTME2REpPW!6GexOfd1nWFmUZA-#@Wn5B*U8w`UzdEn zA1Y5A>sW>PrLM`kt?PSk^yugZ9EtajcNA<#h%728A)}r`GGw#yLQ6JuYM>8*Tmt-N zi^aoPppk(k?-TCcawo53-nPr|er_Pfp_MJ2cNkQ*Sz}sCWO76^OPIPVj2mqGaQpJr zo(I}rL6&40DtczcOj+th1~>kA=#r%SJm{VSR3G`a6Cnz9*YC`W;n;|5*QwcG@{oYm zSsgZC??u2BW|++yvs&XTmwdNb)>*Z-T9(w=lxqPxjRJZj-VE3?55wnj5Ef7=P_dy1 zxXTra0Q3l|lT?p}v*cb|`Ucq+C_-|kNq%zM6}D`Nd(ZTP#UhC~rz%4FHGLpc zVuT@~!Mz|MGyvGm=0h5fzgu`rAEUK0)vn|ro_co$ZVm2Y{f+DeX6rQ1 za_6R;FR!yIb&-^>wK2&myf<$Av|yVmXrS|_=x_$6Jo3lH$g(XeG~4CcgYG!HDSxaj z-+y$k-~5PxEAG^`!+=W>Ehv`)DrZ7zTFV}PXnZnd;aTe$59oDqSUS@Mz~rI|t0bU~ z&=Op72`WAfz(D;ewQ5P+B|82pJ)MNfOg$bMHnBylFj@%A(5Ce z{--1$B%Y}Qg^em}-3OjOfUy15^5?c_k(tJ2KxFn}|Ap|=*q%JrUAwQ~$eNu{krE#p z@dLQ*vIhOotj!{?>1_ZI4}0i}EM)dbg2)S%f@To4U-ZA$eIT% zkeo*LcS$dxTVg;h0;Lpc5iE0wkXEV+q3QtN1p;1Af`5cn53k=ZHGLn^W&eK{Yc79GXVTfxlApKzO)A~XlV(NXryUAf@ z>4VpC{3iu!KD;_v$P}X(8zG9i!Zi1a?OinEXh+7yLsPZvaZHiPt;#)sGEF_$jZ`nb z5%vjGm2wbVuv-Bo5BT&Z*gu8ehdy1Pn;!iyXd>9#T>}gy4~)}zR$`mAZdJ;U@i&57 zEaK2Hq_31-1uRRWkJpuI1+!S|tDwYBG%@%R8GVkj7};dIVVkEutpOdL7RKHBF~bEP z9H+oudvom?z@H)A`8o;^j!O zwN%1m8ZG@%L2#>sZAn_LWyIvA4SSHJ%Sse{E~(j3%huVTqZlO*4Dl>#X+DLL za(uqhum~6t4Eb!?H=Yv>7_yCj%3%pMcw z>EMyO85i>Q;;_ml+qyhrKu`V)`k)ItT%f+BPH=YiC1JX#aqu_R3ec+%?+Nfs;BPSF z(^JX}j%zTMREQW=dB)i5fZcr@`Fz)o{2!|*6$2|KJnPuoIUO(8*S+~W_;(i>7YOId1MGR*w&>LccS zZZdxuRyC6+gj<4lie#!p*kCgOB$R!U2O^kRY&K*hJFdZEAR~ne2i$pqFWFL1in&yU zpop6;{0W_FJIus_cB!}~9FaC)M=Ry3jXriAi|crjL)5n5mlEU4zbnZ%k8eGh{|FXe zT>xIb5MH^fAEmv9#waCum^a4=TmJ1#RgF2gyeAi%Mpp)y439;L* zL}l%G2*=VXYZD&l6fLMNTH6$2fHJuwgq|CogfrshH$)d}0j2yL&OrU26do}QX9Xl} zOYI2?2_AAcLU(?|3QUe?hd?^z%nrn zVFLhb{|s6W;3xs$@)-O8NszM4KoQE(Kr*5%G@-%mR}W-0_-j&fVDb+cMASbER_tev zJ94npN=Qi1-1D-qLAbGmebVSV)W+hnh%=CWIM}Ns)GJ;)$0eg8Vq^KKvaTQ5<*Wl| zb4wWxvDE9y(8U|^+MB~L#D$LquL(Nbkqrw#5{?WI4yX0$2(t|(z-z5)Axn44xI69i5IsZwUv<0~GD z$sxVF8X#Lq2c~V9L;YoL&$PE4@4efl1O&oVr(e4@_w=O5%8L0WSXDO^MS%ub8=9i7 zX!Tb?j3mdM3=UCD`$Hx!4+rRre@{DF?zjvC$f8PhI4Vg=fwyOnX*+6tHWruW%I|#Q z{}RFEX(ng&!}6>y-&Ra)FJIs2W0dc%>;fB9G$NLQd#oW_ygn%ix%|Y9VJdO=e|@@- zFVFQZGtFr;gb~qxh(bYRB$fVl7B6aH#%~JTXe@sqX`xIIBCa_VK@P8Bqsq%oV)zA} zXrE&;1L9mlOqMX~N?f#vMSzmljh)i22?Uj?T3a=qX9H~Y|FsID$#RMH3)58hx0UzS z^@k3g@Xx$ooV#@2(~I}|`|DiOm8q=K@NU!$h0+@KUm;8vJ-7iJ0NCS|Dpj+crlTJi zClv#MRRw@mYeG9P=mDG_Jz8~v4Sm#k;x3=$463?*aXqtbaL4hTEw6mCLq8hNjPr!ZFI>Qi>r0(9>p->tucVEa_Uw;WS^R< zqjigwPr+#_jwl7~(D8uq;OsVq`a|qQ#q*Nftp*B2iisPR;l`=L38Kpl-6fN-<_N@& zcN`&rMaN5G{I@}#+V|S1M{goJqo=QMGs&;88C!7>*2BQmHvA8F1=i8Rc6mqsv(7lr#o1yao-bn^^!w8BAgS8*GxsFCOY&^(C)Pu-{QxOqX zlYw`VV!`fyz5yTY>1K%#R?^EZ!?S0sAFTp9H-XQo*0Ev6@@dUspauw2_M(?)kDfgl zi;J;AMAM6J`tJRyg@BqGlL44&8T%hT1&2e^h-g`9{C`o^thfBbl5s)WnzMPeUJWHBFl)?o!9Dy-9gv@6b(V02?(!Y#-nz=+IGAk1Jl_j84E< zLp=M`ktPZs-wY=($Bd)y1ccaatGB1RKg|nG_inK}Y82%D>?5|Bl9SbVLf|~i(MTZz z`W9F@9P#m2Zf}=;PbC%9W&3a4Ggtt~NC0#6PiL7lJ??PCFb!Q1XQh0ru+e?WSX|4O zNni^Er!VAFh_zIfPfPVBFW7t!?$U)<%RmZ2Xw}I1F{}WQFUA|6W&sNLjyzc8A*Y0% zs66!I8nDRAIF_@*U9{^pLq9-|%6JGb5V1;YZ_~nYy>jjCS3`P&Tj%=u4FS_y3wG`8 zluEPc3TgXkke#Pxm4JRwkgy!>P#p+dC5S2BnC;N2+g~E1< zJeONwR_os#+q-mjp9OfC;w2GqDl@`nj-@hy8#n8zmO2P2(dFnzZ4WjxftZN z9DNJ+BLLA`nree8$LTw>F}^SjK~J6AM!r_*gC0onlA=|oFh=h+j>Sbw6T!w;)f=sx zr$$O>U~w8vohsn3$B! z*|^ZD3{c7Tttt0CAesO-s8W)hIY?SYSfVeG72M_Eg}?KmE=pFUvAFoL+VMN~Y^T)^ z#B24Meaud!y_s7UF{xAzJpO8*jJZWN8P_T95ZMDa&oE|aivn?Sm?=L;2Ue;Lx$1?S@O#$Ore`!~$ zhujZto#yXPYU)FbM5?bl?ayjlwE9Eh#Nh2-c|LW|{#+dC@ES0UWN{su*KvZLUj`FT z;P5ol5an}rbXG-mJ-AuDL z#Tax>=EjoYO(SZBf5Z z11mJo-$8<-X=Q+kJQ_3azB~Iis=ZaxKY-NUr&XV%PkTx4=~+{Ai+V&Y)Y|)(3SBLS zgvoj<%$KtggHI)#n_GBbcBve!!md7iN%)kS%c&Cl8LA={|(bd#8(>02sZ`@foUcA;%de90U#khC^S zb8?K;X%3Ra0s=^#7cCcf9(<@5q0roP`tU>?R+5mAQ~)6rFFx#aa}!_y$+LAt@)p@W z4s9@qYymfg_oxEY3jD3^@v?b5-E(-NI(Lyg&3(xvXY(0Tl*LUo_5dt}VNx<^5UuOQuB?zFXz5x& z#E2IEKWcFTn4AmV(1-Mrl=qntqQ=V|z&!)-(v{=Bw5h=tZZ(KY%IOJC)AjxJ6|mWU zOX5FBJeW3bz0pH>VO4ME1bBxI4XB;v*3+x}UE8&woEf&+1_dqb!+|B7nd8%Z%-GI# zy)@ca7y0dQ6onEb!YSdgMArzt7GNRGbkyGtgQ~}|NZe;sJG`AS zWxn{;`BL3_R5dk=OXf;|nm!C}3d5?pRYf44avCZtWHG+*8?ZMTIO-w$C#?TBtQMu) z2UuFkXm6jWDk3hK+Q zN~F@)_q6DPu3kN*va*|zevqKN>E!O%Jo|!vjchxw{A=L@M8@|Z{fHF!8ir9rygX&y%E#!1nsvCui+G(OR&4cUIx6rJ<710iB*Fd(4!5G9QW{ z2h0hFaHqZa#uR6cSz0!fj<{`dlqTWBUHL90KJUJYU$3WE*S7`RZrO6`5kk}kx^;1* zReC8b|8sP46Be*2+Hf{EpZP|a)q_fZA$->-fSc^!yDZolhrYcf>1cM!zEsOz*l+jjVa65*qUnE3o_zdsiM0b^iaSwb*E= zZn=j-))&ok#|5U$SLEG-73GDain=ggX{ zTidmc@-1i3RiZtooAm!V{u;pU=bSRaZfva%8V-K+`lm4lS=Da792(+ICgUJ7I1Qku$i2oVJNJ6j{)X za$d#g%_EuVDq7c}R^u0QV-P>X9%svqVJo`4`3k;W$tLh#5B+0Ibd|U9QHDa`LL=8BBA$&NG!ZJ>>~pO3Vyq%DTOOvs7fdsYlj!`;Q)<8w7lzcSwf8Lr#^|KOum8 zVlJZ3_Aw7IPJ)9EKmbPP{Txps_Qw{0tKy~#L20kj6gfxNJ+%(Mm?aDbS-;2@)yYJF zRnimq(Kx!Jqb`Z0P&Sem6*~w~)~8RNyWV8TN;oO0LqH>>K7ZWV^n+X8xO?Hxsa4d@ zT~9TH>m6Vn3^+lXK|itI+|U7A1ISwf?a`tqM=fA-33AI>MWJ~y5rc~+JUsGzT&ZK) zFsS@~uU*k(3fZrwli#`==y3&R-Iu@xoN){0I1}nffnm8s11l@mZs?bB*78igZtK!o zHQkiN;u#DvWPihCn;vfR20_njI>)X>!TJH+!tKZ?ot^-_KOMz7Ik#T_IRQoq6qz=s zB=bDeP#V+Ix}OtZj$PA8-O#?)VHIGjjq#xF>l4wa(tWZp&3e>o*`t$*&H<&G0C9yK zOc>`%GdM^NIf4K#3K?1) zsw4D8XlRp#1BtoBawY$oYG1ZAgkF4IQSyP~S^8LVimBo+GO1!3iZ`?y!Q3UXKg>*T z+F&UL88HUPtDoDxL-7Uu8xwdUIa#;g95d6ie~6+gKx*H(Vw>3}YSTeFJ^fQpIU%o0W?HYT?5#kOtRw(%yJ*tTukwr$(Cos)|=-9P#YYIUvddiIugm6!2!uSX%O z*m|<|%6~&X)qp&$o4~64M?t(%$-MB5;2q+;Q`xyXB_&XpG-)@twR3dk_1z`tJ48Jw zv1E;PX4M#Vd0uGeiuT}5?)++>(G(vY@O2XE=|`zzTOiFPz&CJ#>$Q~ZxHA5%&}4M* zS%lOcC>&Noa+GGY31#nqkn%X8|BrN#9?85UHf#(`KZ6@vhn4?amsx4=A`orQkd<{m zL|1N3b{|5mR1=wkb*Bl-FA+T--W;(pG-1~`G(9u&t|XU(N}d0dIEjd{3Ro^{;6T0= zV(mx6?aVQ#%XCC(0!IaB6n0m{*kfkv8e`}$2zRhcht^(3(j(*46)yy<^nmqX~U&T*n zA5T`)YMLNulB0%BV|jeLViDia4q5I23z_3Ov@Flt@_=$tWv13wWtk=8zq+#%VSxZ< z*&lrYG>)=GtmqZQY671b3XRDSeq=+L2C2jnb3hahi|G}rLjswM2G2OBjq^&gQbuWq1iP*M?A?zUTP=&KhwV2qjLt4kC1HEt$Q9`z;U7cb{S?y`$p9j z>PNxMdI@$_#CkAsJ^4VbBI#jyZK`BkP<33n@A|5py3uW*0r|7dKMCu~)kvU)Jb%P3 z{jB+sT+GJ;eG9Fd&wTjPk^2>Xg)DT&MDqJ%LfX@Hk|PJ>MfLC1>(Fe`O_rNG?!9#g zWB$j1##Tl+(0J9Y{7+rG7tYHopk>kXvi`MN+v=~mPRq$2aPhsBWEMlc6K>Mj88CM^ zKSWv8;1-z(GkPrvL&$V#dFG_JC64a#2hzZTd7DVxPeh!9NBr4DTew+em;wq| zL1f;w^(b5(j|25<#!UuH?|yC$J9G0ii7Qv|bgP_wYpZ zfOHOD;F4+sekC@M%!TCTOy%xKHul@e!<}9}r4=tdvO2wYAgr-2Xv()f?@-W3wR`UI% zwbjfDp6slD2^%{}K)sh^IkcVk*KVaa;Y`v!5qBE+yL>Y^P4}}014%bIEAKKDj7(q3 zC^YiQnSJ4pP(nx>zORd$903_QI?=`+*Yy{~8lL3x$ZRDPVl1;T(i2-R6U65&3Q%YI zSRfQI>9Yq!Orlnd*RNNZ>;GIVHyG{cGlZ zs5fiAV|XNMse*)9SWtuS%*s@yR!9wja*G30ud(rC>~$!8k_8A2z7hsYVGLz12Wh*{ z3jvY%E_CxMeX&_P zyPWzw9N`}u`B?@mdhf%y^i|b=c=9UY6I@3iR)$Q)E8W}erHdqKp$oS}??xslLLv|< zoN?SJFe_4w_xZxvJrQ&?|Li*PQes=cNZo3BFYBe@DIU_|vt=+C1csu?RmUK>F5ZAX zJGAg&5we=5%5QH&6VVS^f(VvVju98;GUPl}O!HL9%*QXd0)Fk-#c*GWS>;?DDsvCy zr8Ll0B;EC#9xXOH<0tOtyza~vwqer^lUnK2=esBXIa~s{S0t|c;ac#(&tn;eMm8hJ z`0LsGg^Y%2e(famQFH_f$^pOcjy>p(#Lnc-tXnQ3n^fB7Vs;jo_8l6r_g#+vnvIXi zi760RA)YU8liwekOqQLGT}DH~`cu=OjE_+qKuA=|H9QZ{4@mcl-` zGAwJrd(~+D;T3G<@BsJyYE6yy12d#$NFTa&QXLS=tTaTdV-0aimkWgs=E3mrc&5&+ z%rO2(jo$Rs_%Ve`wpA{|GA-k!126fwghw=QI8*|s`|&DeYR}^Em~8ndeqb`_sRs0cW6Y%-*ed zwl3Y!gj7$?JtEL+UtF)k5Koi^_yDg510$EdVx_slRtIpi#dv!-gF6{8{>OGXf3jW) zT?1p2qvbqlvqJaecsO-WLC9(o$g)y%h!m}9{97j&y|Mh#5lA)Ellq`>lwzMt0zVg4 z0Fx~3CII(j!$naYJ$R6OXj>*xG!7*=Vg-fF`Ad-SXGA7EsG$P=u_DTLP(>wY9>;u9 zGip%kj5B!aMB$*l@w74iGX&ucM?8#%zo2H9bv5dvw(s9Bv-46jFodPLX|Y7BK>VRT zDHVm^ya!|Xn&}2CWSLIZRcb@Ig7X3LSMwd_W8Q2<3?k2JXZJLALxL zCkJl}Xz`m20Mf`M@#?o($)9qE2(TvdxPJX!%qJ02m_u5tdn#^k(@vjqbo?+={3z(k zg5bd(@&cxofle3Gg++)uyL%gkD#v$60Fp)teZQ`nS0NjVPFl~Pw3>$5lSo3LCmR~N zj}C?CgB7S(u@?Fg7~D6tweLUKYlmf zpV;*p8e50eb+BQ?m?t0&inJ!Zb!%I)GL*eouRF(IiLb&1>D^+0(iIaJ@wq0IH(n%w zZdQOC`L0kvT$Vp3vAkU|!hBM8}@7B+6}3{9gxzKn!rM=!A z^Kl}`&2DZF>7B#9j|IV~W17>i%sef-+9-Jm{*S_qp=wmOd+&`vG$g(r;IqI|CoaNX zPA!>%WTaosVBzUNbDscJk$t;gqhvBgyuyKTqMDCleZ#5d-jL0%M(Jnx6_wK{Df%KQ zM>9QhuSw(F1i2WzzjYY^+xcB_R8& z0mHgd+oJN(lGw)@WYjm;G(qQ8w&y;BTo^p2CiLQW18vCpR1$9d7d0vn_RZRZ+>d6{ zd;Ct&KyLKKAzYpXGrA^`TK=1|XIZIM*BC}E(}tHvS#51&e*y96e*jf48Hp*hSM)I| z`*2;10ee#gW}6h!OetC3Ri&Jx10ojnvg9?<4=Lp;PtgbJ^D`->whFoDw~5B9>5?6K zTb|FY>2l%Pr&1OzEV4l3|5#?!e)b&miX<8?Kl~BEz{~_C)qG?XkIxL|a3*W~avm-H#hny$`w zu)*y{?c$z8=3hL526F;hSLHWm^e8nHj56mE|5k+O?8td|Y4?*PEQq>6!1x;>PS&lu zK`$@F485k-@lrc=o)(O&$XoJ`z#C-((`y>&I@FAd;=nh9H?_%^fAVGd#E*rTEGQEt zR(z!`56|8T2oTIsyef-r^Q@UCEO&jlyg}WMaNVb!s3m6qSZP#(woogh6qEiZk^dzO zPMW8r%ANS1jxlQ8Co2NK5##$m7Co5O)I?1bErBNr*ugkcdT+C4alMvb_1-_536YxY z3?__++L2?T;{M`AvdRWB0eKJbhcmANhufojhnQIe%kGR)WJXbnP{9lDX^pnYl-GDc zt!iP^51MvtRwmOWNTk2kD*WKeVA{$BP~}!cy-o(e2oxaQRzFxl!xY_xyVL>}!1|5WRGs21g8z-h}6E3Yfq zy8S5`jl|=wfWoQqB#Pc9mEAjw_DU42a{Ocb)XHz{YFlMcwREWS{tH~OM`r7D$~<{> zJZ0jQfN|)kTtr4hti%4P+)r#K%m~IX_-uF0CORBu4Pc7c%>Tl+cfgL;a5vHwyWUQ6 z{Gr|3p!Q{qnltPpXz)2(a|Ivg2@*p!%#Dh4}JUm4*6hjUzjjvDq;qs;u1pp#s5 z+$YTn`6VYuZtBGAW7IvEH`+!(WIoO)-N5BznjV+C?#Pf~AsR65f5Wdq;Q4T?yAzMX zyE|@M)(zKDpJ3)aVg=cf#oNyi<^-vp&mcp;n@pP9O??nLoaGb-=VrXa9k9ZMAy&vh z?qv!jt@Bxv)_4 zwq~GL+icH2cIplZR9&58m89%DF1vso7CZI9$UyZ0F|w47#7&Q2sG>8fJh(Bs>dK>lfVAL&q1S*Rcvqi&5Fr!Nz|uO=zZ`zNZbzaB^xiihj&oU= zLSJIi*5K?AJ~+`2a=nS-9z1>dJ0>Wa8Bi5e>8-vMu8E<}ak$TDt&2C^EYrbMth^)% zWzvyjuS&OhqjbyD;wkDN^(4}=NXotoJpu#m8R5bh7&~<@@{v2m0f8iUa@%t7bM5nu z&p^$Q#oz6f{;(kx(7l=0YLAWB2K<5>snk&`l%n#ka@|#*XwwO}%#0vKbJLdQkg}oY zqklgI3;9-y*MV)s(h@5^-vo?*w^qg8m=5q_b&`>8E{v4C#89(F-(IgJ3!&d|J6JX} z_E{XP%_48gXE-fg;D30$pBc1e8&u#CLu zi|((M>6_>!&KawJVTw9ENYJNgOQiFuNs%Z;P0abqJVwAKZ$>6ZeBSJvWIU*fN#fPj z*pua4E~sdD_&(9%NLL)pFc#=MBVhF|NufT@?&%waDS0frhU)Y1XN_@C46*Ck)fkNo zt*|^)lcH)V%VIzviKdKLmSpJHn=MNfJ;cpbXN{`k2j}*@G7Kixl$UXsxgV z+nz*?j!&wN#1=sRjGlkdI1Ce}wIV{_i>9?dC{m_v5nm*4C<&&Ca2Ha?gnRfp&Gvk!qRnYoU@R_S)cLZ8p{Ti;6=)>J=~Te$Q8 z=9y7_&Y^qmyq_ia5U+%@I^5F=mK@&cdvFdQ5*&ciX|GpeO`-C_!zuhI10Rs*J?MDU6*dr|8!|G2XdH$kO&7T19a=JeKj77*J zEgE*FBTuJo8OmvhqviDnQ$t0J}6XaC!_G#yx=T8KM; zhA+s8ZtNqbX4i&gd(lWzl8>2iY4uDVkwc0%(;XLO_((lOK{pLrsn;ZSG;(XMz zQ|w}9~anvuMkz}w$_UWN`R|wk>UUx z66n@z=74Mbjpf3Z>NYP;)qhcu+h8GwoA*CE0^c#_+vJ_hjHQAFV@RSY?)*fuYq!99 zQia|ROf5`t?@9911p$#v6Q^89g{*FDu^ldY3JJdy))ix|X&h<@wH5gVz|B9^pAgK$ zPKoRJ>GD+VRQb+4ECe;!GhwN%H>jb@7c!J;heRlm{{29~oLRXvd3Kyb9-f9lVvC)z zC&){>Zt;VfF*1eDOW=#^oia8YzIf!R_j0`H%vU0h?aV6=rS0Xln||>@gTu=!(jA_m zNU!k-chIJ|Ing5AbLSA`Cmu)Og5twqDS0RQ#HAjZ+C~O+q|Y;Dy<}f9Y}%`Y8V1t9 zu*f8Z-zgd}AWR*99+9Hj9T;e zQ902ryrH=5j-2?p*a)NW&q%cK)cvRkMU@Ec8N3xU*)CDiW`{Yy4b+x#$EaFuCe?2j z`92vusTmXe8c9h&v7ozbEIXoGJqHyGWYU_}IdOMBPW%ZwdWW!@7 zibRD9`(m5!lheb25SP!ac{B1D4+A<#RMX~1)=r-vS}u-4WJgIN2}V-~yy55N4L?Q) zmHOf|$iV2YwH80+mou?^j$j8PY**`LKE;x8on*(0r#aq>FR$;J9M|}F6YDC&Bs&SK zx<|}9IMYN>WRQA55S(X7e8+tVL6j+9DK#J z^JFrE?IjJjkYF&?ZBiO=KHlhk|(B9nC0 zTP8?TDtdjl?E>~eayb~LRDTFf4Vk?D4}-j4QI{@t?cfbcDtZzyRaxh*srqW{)8!g6 z^3aqI124RJcHP%aRUNac4em3H9sSFV%|V3q3AsT``Sy5aWb||%I$~??EM0*QCCYJ&$KL(&)_Vbz0and7ebh9zBl|G64|F7^(lXBm@Q9tnSAoQY(PF z$G959Bai#fCmZ=fhtOd=Y96k{Qn3g8Fk6@B0W}S7c5U${es1Yusy^`fddmBTnu+o8 zb~zLgM9BTlG&B7{@0><5jk{=e<^tP}vT+@D-rxmtc7`^bx~uQq(~yr_;Z$@qHFF zshveAy;7q+IaNk5bb;91`E*=DNHb(o}AOqth*wKt_=m{REh2<#F$MF zq>uF>ubS@=R_ptbv{$4BPd%*HCpgpv1#e-MUK05cjP#fe4rjkO)We{|FsyYl|SQ73=WNG*}yp|G2vs7795`^17KS;%~Tkz>9{E*l~bb zWBl&dlJ#2+A>pR<=La@ku034Kg-i{mg^&~dZq$BZwQ>LO0WQqQ^ajA&QGc?y&M+DH}@P%gw6m zhi4}9(S@?gcya;XkmU+O&;AkJmKXxk>jwLrpj-%E-O_QQ$Eg1XX)Z3#Y&3Yqoq+6& z3%&A&%fUPNvCLZON)Ue?q*P3X9$P`@EzR!DNfIxw4^nP)fnRo!yL;d)1V1Jmgg!5=Zwfo@d#ypk5Q64COS0GuEvOH|VBG`$aV3lTeeL0Cj>~clZzX z_Pg<}fI1-#hcT|SRIS{s$rpPl{NQD0ziqOqK4pVtdZtulSU9KPTHm%_MgwhnT=O+3 zQ+OH;`Q+B_2M*d)c56OqM+c{6^AKV(+W)?ZA%=tp2StVk2ZcpM;6o*DkmJ^Ai0ZN5 zQz_Ro$H}9)@}_jA%1e&i`DSwj_0ynWPC~T;tk$er*3==3t3gh9-rOR`Paa5yd)FwUmd!j zXSnp3;@ zJjJo&@AH8ht^=Mg>Q%UF3 z(CLh*8o2h@6+EH+CKq0L&s)oRG>W|j3(9wpCFC3jU@Pq*Px_gP=kVT|ng zeYFb0%^a%6MAiY_h;znR{4efiX`P4S4c2DT8@|H!bY)-1>L*eYpWsc~8>CXPop^h9 zw7d)_xY>n-nvEfz>PeyqVyhRey{U>>=N_C;B08mYvny>7*GDLr)%_c3f)4v|HSvO6 z?8mT_96LCV?h_?hyDPhz)xv1ChnE4}Nfqr>Hh`xry~>{iGw1=jAq^R&;HvsR4t z6Vt|@b!0Sxq#ar5qQHr*<&O8Oq0){1>pBaDWfJo3)`<6)ts=NE6H!W<@0QKEmKeuW6CLV2=o8rjl7N#2)P}w3v=k z9Cyj@!F!zmd{Go}1rRG}$-a?7O4?^08!ueEx$*l8S!gXZ!-%)@i>Re=kBCiX&Mfbt zVm3YEmqv@*7lzhwHI3V1!{HWatsX<^xF#4O;TV*i;DDLAsq;A!(Keh*Xb9KU+nK9L zJRoZMY&rk}?$4pyUwN?M&mUePaMbCj&hLz$utb!SR}-QuN|IP(-Y2rSTjHvvzdds? zrDm~~|2wimgT-#H{ftm?g|DuHc@{A;8fm^V7U62n!o6N?w%KTQy)+*AJ!N&fZ#K1V zGTl#9x0IeNm1pn@KG-y!zUoZXlx`Eq?lvIr{2D&pzN;QK&eG*DTB1DdEA_lKXlZar zQS)T}&>%rbJhu8OZmVoPJ8-_gkdyPX$c1X6iL<;T^wKKAL1Ge~YZ#Nq6fqN>*0>`A z23j4Dcjg#k@oo=LZY79d?)l^oadh<&7@%jlnKY{W?Kfm{aoBvToWG7@aK{8=YRb*#}Q5P!{CA#sP z)3tV_rde31b7W9hMr-F?w3Yc~)8tO|5K0%%8m(TP$8Q_=evKbPt=R*)w|dZ`^2zlY zz)-%geXlZ&P~?ZPwuD;dkmZXJAwKCdm8vjglp_!w=UM2RJ9F$mLgkdt}?^MTEaa+2e(Ul{z@>ks%)=8)@1e4%#Rum4&fgU75TVY7a}${=EW#XnhIn23l%LEnnm=nj~O=-}Yc>8?rX4(N(1pgXR+4vR{pxg<=; zq5F{A+GP5YIV;3D9^A?@utR6OVPzfdbJ8nmado{C;z+;cvajw_%s?Pn1~mXxdHfgW zFuFJtv6UP(4$Mch8d$9+xIQ&cQl%TNW{S^3hul4V)nj~acfQ)*UnjV3InGtzNPl#i zB|IE-eXTOiYU`~jQqgopidnZ`0Ag8dd97l|x46YG_*m*G=L1)3Pn;#9oi;9Bu%PNhnWZBp%Qhl~RSQz%r)V zcrmFz$AXepN=}|JSB;^f7ZF|wAqA=eoGRYaLIbUPNCZi``|-<}g9YwZgUTf8nWG5@V^a{LOl~) z#if*Nc3VRm&Nw!zn!kml%YCdWJ6pL{%p27ZC)E%^lo$c*rJTCMA9^)aUnHu((h^JU zgh!uU3}~#GU}Agintj*N@n;Jn<*b3T#LJt`>y4uF6ZML%&*2&<_55~AkZwyOSY1od zw1AsbxcyNmO{_5`iJPiWZm$OO%a4)M;~`5CPP34H_-$t$rtpg59jL%*#oqaiO+YOo zoLDcC%o>w@8rqOyEX=s_1XGHY8AUnE9{+AR8r;F~4pYpA2hBjleXnGN7EI^JKfBs!+{k{>c z3_aqKnjn)3qAEubiO5v$g!^PUrA+0Wf5I4l>GcYIMk6l|=LT3fNmMl3E^zEDtxc+o zm>$EM!ca(1F?mxl2~c%i4y#@a8FP@z_~s?06)x20XyI z7AP?04G|mY!kMAcf$|W^##LqN#;R_8);g`4vLcY0^d}Ar2vE?dI=hXM5+>Z5E~_Ma zzqD2(f_PS`n3tsxvjlp}YZ`f&;CPk8}8%SAO+MgCMh-j|omdsB<3WWY#!D<@5ykCM*x-O7ZDu4sWfT5<_}xDTB=xru z;G*n67gC{3N|b%!cVzv_K)srV*2EPbU5Y8hGnmG<;^#rPCnSt`-{PXi?&oPDTX{Uw znh_$F{*7~Qsy$e~|FzH5fi3^R1@Xc4@||Cq5r&KU(Q(5R{)GYNv{LLUzq{#uuf8p~ z&v_w?Lre&PFVX-TGf%mURz5u(n!b^)M&N8UA0f8!s3}uv^X|@G9XuH--KCCE%2OG@ zQ_1B77H)aR0NWYY&5$u5i{E6$^g@jWjkQfbyT@D)F-RW?0U@uP zqJpTa5>c)qKfDX-trE$sB6oMciXLO8_LHS<-%ZJr-VCogfS+1mRB$!DelilaHIm$R zLeC`5-ByI(HmcEiHzi}0^po{$M-&P&c9c(ebbWD-e)7mZ<2rdB&}s?m0EAy`Osu#c z>-r%`fHc%^gvc`s-PYSGS~RDvhp20g91cKK5(}ICS&nR%_UtD)-l>`-s|u&>vdX+D zb;pLW^xk}*FHX30{ zIw)JRt*}Gn;ye`_bDbyi_(v5-o)$8)Oiqpc0~+VtZ!&KQJk%9;f+XK#oi$wO1>qKW zbA^(v{U#do718|&UYXYTG}R(tfz>1_eL7!tF@TXJU@#u4rr>uLcglVe% zk`&LdYlP^`+URX6$oG3cY~A0V=5)#emhhoJWy+9Hvq<;JaP_(IwL5HJNz!6(&)6<( zrXnDugySnw++VG+kgzCom7+R#m2tPDrTuK0XF2p`6E(q)UT6P9u zhA=ZbF}~d4dHAIWagYkwJ>&X0e)eSxWAGqrCMBlJcP8fJMXsBCTrwx7BO`$=B{h{s z=Qj|3D8x55?+dtcHG z!`6*>B^KWuO>P~r8inB%m4xxSVQQ@EPiEJBIvlfUu{6rYlsZ#AyKy(-E+CP{mKhX+ zq&(ugCj~xq@+Yse`i&)e9vvmGxv_cXRsFqci#E;==W|VVafY?b^0e%-l9jm4{{&iq zqM%3DeeY9DbK8BO{el{S#(^_C%!BZ8(2S6mO`HJ~M^2ZO zr6J;%@$1+bECXB0sd(S=&Uw2O^UbFLyaZI^|jLR-O_8#C2D^T#yp<>Um0L!$}%u`$lbKCd3<;kr~+mrl@)6@Kxn?)7Lm(%>!2+S)V z)WNcVR$9IeO1*^)N{r2?isa55cKMzzHH+*dn(TkPeK+Qdmpau&mWzqTJTlBw*&J0K zQAyq-v#bqD(KVAT&O3FjD8|@eMG6NtH8N{7wpLL{^T%2`b?d|1dpg$zLoEyj@wv0G z%51LgM-PWe;liumJ1(~DKtI2K&Ladi$GfjLLd#>4JEPl^>wyBRlYP5fa-3 z>>S@EYN;CRKP77Fsox{I>fd^F>4B3tKbt={XcMmEmDJWdIQ*mIgW{v``eeoiM?6lhF`8T{iAPsm-h5uPNpZu-!FsH{eq)?!;+(YeX^sI zWA`Ki1%qi7x+Ge)6GVV}G>l*-Z~V zbDx^Kloc{DJ&=(fZ&vQLnIQX7s@peA{e_QzK2O2GkM>aPis+FJCJdYrS`jAz5XyB3!k5SE zN+MVpOQ-RT9+L{WYc@PKoSlC3E$c1YlA#eNO|M8w@Z~A;w7q5->E!lH4`~fou6;e= zSp1aDwLb_$q^L)`U6t~|QPlh?AB%|%5cF#3!qsFk8`oazK^U=XLi>{sql1F|8hTUH zmI>=q*VD-ekt>1HLqm|PV1o?=#e09wrNes&vRC=OI(0`KSksF0J_`NfEdLfZ$Nz(6e4s;;`bfokPAa7cS3bLJj1&jMVocp-=e)Ly? z_`FR#T_~IdV}q`Ar>HO=GO$DF_ByX*!UxjZeTL~(wbS~CTYZZCUSl8$8; z!aq*FuOt^ck_LQVMG>>#$loO1nxpTfGv=+Y!0wffS%YaOi14KcvF2BT%$bC0?NBw?87|P} z0zREV^qZu`=bA0t*2o2LawA?yV$(jsyHrK5&M! z*uR0V?tXJ1Nt6Z!m~ZwY)nOTT#=gAIKK}0maOk>I*S?nLvD=FLP1P7KEvfk}RkBLa+F|$39)3@=9jKJIwZT=s z5U~E@U)e6z?8pjvY;H&m`7g4;w&O7U2oneKB*thK?E8BF9bYLH#^g2p`3dB8o9_6g z<_j4SFEus$njqY!yN7H8e#LO5R5PD*smpQ$ZRNK5HitgLkM%#iy`Zk_=)^-L4_I&0 zVNL6U40B2=x8wE3?Q@$-P|97}4%E!LTqC2FJ1_Ea;UWM2SKRNL{0?`Hf>O#o&=`~N z!A((8M;PUX0!j@SM6SGJgMGH@YDFJm50zp%iK>dxTKiL z2&7FbMH-8y($N2eEEkpfLSW~@VJIyvGRJEA@cSoj#xn+y(UWNR2Mydq%LnDCj>p+> zljB>J8S0pCQTKvSB*$@s@#u^~FP>47P^Ba-Er3&|C_w8im9WDf#RoH!6V{QAqv~u% zN0ua^W2atFz))|(VJ@c+q%Djb{Xjo8#czqh?WNAJpe`sq*eEtiLtE`w)5=xi64&Z= zCg>CLUPfc%pR5uBi=tSUEXF_!SwJ_RZAPT}2S6NR*m9A@=oj)QL^!ArLY}aEjR&?9 z1(w(+!B|vN&jLnkC9ZC3cdiSxgNDabT0T4kaY@&KX)0HVDo;v^G<PQWZcUkIt2n zP?OUjhixE&1KWl!#k$$P$~&eHYL=U$#OC6wCylUpUOHVkxxmU(bz`D zfa#~hQw#=tN9@U1bmNwK7zHE_whuALl0axDV>}UYLFQ+evrZ?at~3jXEj8gqDPc@W zF}nF_LofiQ@JwPi_doR+=}ej%IGdK0X@$V!IzHM$GKR1)R!m&V!WzW%;I$oor@t-7 zP0kX8yxOE`-57DmYhMN01+L} z>v5Wre!0^WN52%Kb6`2Kl1{t#V}!QsXcZ#55iG(Mrl?m4FtpqPL#ceC5{Nacpbdbi zi?V-XKaHyNDm$?)rg;=G>ZN;6hPRYhI2)6SF&??%lMUe$)Fdmq766N3U??kTuFnc- zWgvpyVT4@si_>N(!G_#>kNcjMdfRW~lmNdo-)Z9Ed*KWHdAH^BsJ#u!gFEAfim&zw zG^bShTRV)&L|NfvX1D|4Ev*}+P*xq2{^a=I_<#SbzJtuKSXK8^cP0(qcfVf#ikLu2 zW13rEC?FjyjSZf?x*lPIshWSDBQsQ6!de&HJ>bon#%MAeS|7iR=jIF2r-yrlY5G$$ zprH4>|aM2v+U8GLA#N%PvHW+p=0~X(9LELo* zfxFK;G3!!Z?M=_`SKqBZ=HsEmWE%+&{Jt5K7>tGS523_?% zuREoQA9%~K#VEiXtIFX!hqneVZw0rh27Lw7=PC1AhlTPwF)3C@^mHsD1guV-S(tlF zZ`d$p&5@hsdrhU`k*bRmp~qyH@&FT|vvK-o3<%v9S-rghv%?IhNq-R?>b(@7Id0TD zCmGa3E`rZgzJHj$5K5?UH)@kBgEoj5=KM19i2H4mECa?RAYc>D_msrveb`vBl|}5z zL#C0EHc3g4P~7P!e$XK9G^H4x=S9*$P~CVny5NWQmaQg&1AN6^Wqxiwn`80woX+$Mix~;Veh?df<00!UNhDhT z`7-~hoUeufmN*ziF3UR!dc`>ZkEn$pp^tC98YbN8UQ3@RjF6v@Z!rukz3avheyJc3 z?ski;WPBaEz0FuhTO@1HpM2`^4}thqr5H&k1J%QmE|1usCqgZG^cy-B;rTvW^puj^G(N7%|XtK5IjP zSkOU!ORLpLV=U8g*;_hWBn&vW*RuBcd=0T@*Fh|=gUaB6^Cp&TuVb%vN2L|#?=SUG zLY*GlFi@^D%9<*l4j|@N!Ee*Eu2R^D8Qtg`{`cR7o8qlgiZasYd@bN{gDje^sGUy(NHGYM_h#<1^PgZhUgX=BoL!**QT>Z-w z$dLEp0CogymdLeP=Iq&XFwD8xd32+$fpAH0i-=~AsFbJ21$GBq68E6dEx3rw|L{VB@T<5rY-n&!_2nuL?ebmO?lO7W`1 zmEejVq$7G^UHi4pWAIN_kBW;p3k||7OvdS0dXb)t&B0c}eaD<9LyNT@w_dd-uGM*W zm7Vwt&ratZ&U+x3g71nLg4B#A|9mMy8t5@BkAW=HC}7*Cmy$GFUv;vp&#wjL%D>2` zJM847(E141XZ`v#vbfG9?6egzha5GoQyxsnhpfq<{?n>XjRK==&$n7-n#;Ife{`x% z_7A>3Fup#I1&(AaiG(k0GD%BI!%gEZW%&g|)@;-ZFJPr9@w@KhA&p4WX^W_IRC8WD=PjBHzvoC$9xrz)bQw81L`{cwbT? zHHiE0E}Ua9*ZV^(&9#%l`(x%9^|h;=pJy9KX;Oc1KddaTkN?3l2Il$Q1Br0~-8mlF zZrDpSIxXwg1l=Bs{70hIU+0IV8w_@5d1R};PMBK^ITXcIE~{*yP=VqwED(Ytu5`L0 zlp%kut!WNjr#E3AtBN}oszFndWZhNtU4n6Xd|ujCE_X`_`;-ee z%PSZ1(jNi)(T*fA*KUO9wJbJznzpW=f6}B>$0!H(OrLgOQs8p3N|)3z;t(xk zN(3HV?g4j%OOzF>sr1GdGRx_6M$wBhQT(s!iONzd$>79=&&o|eV*b@XH72k!xNmF5 z?0gOQKO-*w*@IB1uj^39-c^TuL=5ps+hhM0cPUUY{s(V2(EkBDK*YaGkG@Kr?`Kr1 z6u_#*RU^>m=?5x!tV_v*4>H#jP0;2b1evOahoJYP<#8#8neHq4^XsK*=zz^wF7EMg zoVHESHjwt^b^Xlza1{--xg&d9;%&t(CoofUf$ByQa&CXN*>dro_=uToPnlIMESf{ zuSIxp44D%?l*0wM*`A*dKuNz*vd(rroX(q~a5uqUsXyAmns|Iap&fBXGNSnlxALQ0 zgnoL%39h~>o95@mMXIh8j1_st3JDhDDeWXHL7j|o74W`D@-fS!YB(z7%itTee#mB(}u`N2*ZVMqgFOW&SczCc(L#jvr1LRK@@%iG=5 zTIK42g>g@_TDrzk+gcM|Pp78^6G6`#!@Ueoy~h>T6l?CZeK^nL#l`pa<`0XWh}W7T z9)so+Fy7z9LRfCYde^{)M`;?@EvOg=SnVZE0mM^UPjR?Bhl(>iWSWYmrjk2$!h(@ zH#&QBkzBVoo@Y==3P5#2Jj9GLs3*mg?eTp~D_6o%!+$v`6LsPfOmR-RnCpHi*~<6#i@Pi-&25Yy-$IP zUt07MevL!TSm@4shh1BC_jNI(=7I1q;-%B}d5KVQwWoy%F3>BO{CGHqBE$x>16`<; z!(=*0vBx5JNbQN09Yuij?c1~Eu831?9i!83$eWOn zo6=A_VIVM68{H`e0@+rA0569)l}r$sM8Gt0g%v9M0CnhrJYsXHqVaTPouycA6*n;0 zv{*>8%&EyVy}B5(PM5DOHti#o3-Kz{DdOf|di1F&?Ie`Km>VtW7M;b)tgt^a0HK5q z>svIq>zKGFUB9wBBG4{0YGlFF$UeFUtj}iarSTFo|T-He-yZqyFx@c#V&WE7=Q)k4;^jLs>J&43;=pKo~+p5yry@`{~;vTj%{F+lKd0 z`sbq;3CUAb6P_bY^vr6sNViXIfpz8V+0S_$#@E`7_Nkb~R%~Yp?Xc|ZB6<^*fc9+5 ztw48&^W%xiJ$Di-yMde8j5@XxIwjxw2i4uUi9(KKcE@0;dfR|aFtI=GMLyf=K3}zd zpGl{X#u@3xYili!foj$8Rj(dmlXB9Ys7XV(OYGd@27Z&mHdl%ix8;O2$fs4P7Q(uv zI0h18oG>hC)`3gR=Si~2Z)UJ5Nx+FJDJm*lw%K?b2>oSJbLujx7q+UK~caQaN30gT_@u5x0vzBq9DAi^_~^_;k~2FT1Mk!y{SQgQc15f}ju4oE)j#4EgL^aAISP4zZTQI1#6 z?5jAL8XZe}(1oZE>hLm**x2RN=y3Yh2;?YwAbVJMT>{Iwm_tD#3MszI`?gUUza{en z_!H*Uj|5;A@SE2}>?X&{Vo$d5Pr7?h-Z|U^&A!TJHkGPJPXi`uqsklou4lTs3U;n{ z$|LS3Chk7j?W5QQq?>}5+ISbLlGxs!`ayZ~l!SyRgf{$=_O&Nq@%(}glfn5;bI!ct zzAlDoN?mkI^8$}Fx4p+xe-hmmHr5;UvD!3^s)EWXBo>TcU^^Tt57*z#ByTHEH@6dE zHqbdkA1%s6Ue6-{(RQWBzW!onseQi zy1E(XxVU+Q4Dffo=)AbNSh^v7CM~%+L5*q-gSh%4ou$m@ZALK4&t#CVV^mUxfnGIF zy3^*k45hU$Cwq)Uavh0>@5=8GY+fOPgj}oH$NtE#?b3kK^5}GcV|K64-MsBVvp+lx z^-qqmtza8jlDIgeB|F*3Ol!oVv!}!FLJz3)eyzHa>FmH34m#KG%AweL9oP|LcHChR z=b-bsk-25af5&_*thlgf^Znghf7KhI7{uR%qejE1bB+q7PdsEg9hUE=7=t5JM;L=T zGj1^KTY%YCl-7f(D;tcxVi`wQ$Ckn_`Af75!L;5CKYXh<#RMmSBr7j%o6-xM&f}x= zP3rav2D*5$y>0jzv|g!a{DH&^hxp&heb{;&RQW+4SW$^M&BJx$m>< zk37BG3Vf#zwbZG1rS;n7Ve*#sG|BgMd~EuJ-}_0ifX8Lr5Q07{*q;Gcbn3?cuHr^v>Hhky98nzVh)oUYgC_Q z9yw{#H2brvR}>W5Wws?H>Dr}|paU&wzvVhClYSwr+zWwopr!-&qYD zZfsaqpWO_#$NTJBQVth5J#Dvj_jnE(2oII|MqoDi|5`Hu;;d{M*oIv*tQgNBF}$FA zPS#qBtKX70zm%phA1!jw;e&w55ciIPgpoP`yuOWD`I*!3aTLaspR9&Ms^H;mHCWZ# z9T#DQcu$87m~eR9ta_9=Ko$$!pugGNWj$>jUJrd~ZzIwN<-mIH+DSi-P&o(vT-r34 zB7ZXLK-*o4iFN+zDrldrFm<2EHI2sfbm}CyC=?tYk9><_Ql-!|-<0J18{0U?<1npu zNeA!k++?WhCS~gdVXXCW5N9dAdxzOZZW}>DcvE5Ng%hMMQVg#WANwQ{C)t66Rmd(( z<zIqnQ43}rRi-7pe1G&czuX7&^)(_+H(3TuhtUN!DOoJA*O1`t&Z6etnUU`C zjR^zqA z=MHqWCW`l0d`?fp9dXih*!dA1x=uu7Bc6J6wvX+S!vzu1&n^4c)ktHU^|L=d0&b%x zRQ%rfXqb)~pRUwi%!5|PdGj~*^D0sj`F&Zk3a;Z45r(W>RMh=-pZkslSL^Cm zic9_L7Uzz2U3cw01s4x`Q_wD^e?Iut_TP^kR_|)5BU7Giy%>xX#lWi%dVv;Z>d`mA zzHqes%u1N0tKL)T^}W$VGQ`;*1Ovt{9NSM?mC0L8ry$>ps!muXO=?kNs1CjkhEQ`n z*p_)tv{yM;d0LP0lt5~^4z`B^Xg2z?yyiN^dci?A;H~g3ZM7NK#~?g51X8*?FFo)4 zyKQP#SP4#+w>y8^aB#6ZX$Md;WCv;|?pSoSrIqTjMO~~RMyEto!`ESan;K5e6 zrry${kSiiyh)eVmeeyp-kV(jE2P_;Kli9ufnl>NAYku!>E6VfktZT%?GzfX!w7MAz0JYfA!qD4~%dQ3F;`ioxuS1-G z$zh?3`5|cKVmQ4y8|Bo2-XVc^p*Es2wWPmzSYy+#LJ zb^C@?v>$2j!D>T-q7C(3QWe>io7uMhakWe2#Sp)TTzb=Sv%i47>8vtfiJ?>f_!xne zNr0Czcu4S?QIVMvd471}$u1X4a<_`9zxzS{FduWIczDlkC2cH6>J!tM_MXA?{h#z; z74%*$CXs|k3sL9TuV>nKf$-SLvNyFTP9v-YzwyX#@w)y36%yZ`rxYXWmMWqYSg`{UqeV6Fi|6}xFMsew`m;-WlIf3^~4nRXTPWR=`|`VtHag!vB&jOGtNUJ-m-4Eb4P5~*&MnJe!nR99*1hx&0>ypHxw zhnH(s=CdW}NZE499dUWGnrTl>x`sZK@0ceULgdWjB3ipT7ltC;G_~!)@pACce4iK1 zZ0#aDIV;|aq0dHz5QZkY)Yg6%5_rRmb0TTSuGlW;3?u> zR!erfZ^x>@R+|M&XwYC8U%b(0JdWAw1O4KxqqC@S{ZhI; zrJ07Kv3oK=TIm+SC-nqDY$iE)^3Y8u;o6fWDx@2A&jiX@^XSLr- zbKdc!uQ?xi^ECW%v&?Rb#vptAt9aoWuJE9NC$#W4u&}yp4;O7*0+l-AK*PZPpHS}U zda7mLj~Ud=0FSo_DgcIEB^7{xdV2&_%a=O|`&AC!i+&TnSBffi60%#S2gJC06tyw{ z$U?m5l@=F?TAc?RhhIMrH50VzybCom;_Q@Jbq-gOl*|)(_HoVftIy2drBRYr2Yxi>SfyG2N`_kH6V+~O6J*BvJ8@4Ai z7HIq45IoJ=>TZ13KY}vEF5Aq?&e427-F^IU?)XX``aap&e}$pSA!n1>qPeSt&YnD# zxy(ax(dwa+uBE*qEwEax26SfNzP4**u z@Wvstgk@RmesY^@V><9+^XxEZyFSL`kbQRDaz;to_t8X}$;}5b!%ApFOCQD#=vZdlRv1RC6Q7i` zeeSwnf3k?|1{BEU3a|MO#6fnRxh}By(=M0QSGG4~rM@_LS|R1pdp$rI_z#eo2NZq; z<|}B?vD#==@!NczaI-}oilMaAsMNQsF0{5hJ&hk+@d~9Sh2ACNB@%M_-#u$7!7(Yl ztOJ8l+2H&iipBhYRV)qwC;NY%BVl6x|IU#ZEIBQEeHrY4&@Xd>rTjBS0t7-T0J07Z zvM%61HXhq=2^L()FWL8t%1ku9j8(BX*>pv9S82_zh&*2F*JxPf6xOd~*2}Vl#ptY6 zGsko;>%C!4GfOJf-G(T8)FrGxPn}=D{$sSx8a&(GZ(HqGUG1H3mmYncD$i$T4xo`}9i&~KVo+!-2g9Kat0Ag0}5 z@|Ln$ZH`-aofUHWUl>5;*&4rO>9Jt>JPGW4Lc9OMu$%r={z#qebr~96eI1Y@Kv&s$ z(;WW$B$xF|+Pn*z57ZO|s6}is9%JejkIZO!EBd+jWPg>p%;WS9sOJdi`Fe!~W3f3K zq;TN{qv7lP<)EHMXlwB2-O|m+7{3w8^w&_$`tw^*{G|^N-4}4vU&Q+@tJpKXw~+pT^zI$J^?TU?v9TN1e|%Lz*_%?HYY#5dUFHY)vL7jUq#aTRC$(t5y z2CZk@C$>`C8#nlCi#Sh6xScc?YsYDC&GL3~9c=!4I@g$&1&l*xdEROnHbZZWu9r#p zCw|PAM5e>hQGK}YxcSc+?P}QVb}uDyL(iKx>!*)AF0b-f_3ym(2?%b8=j}HVxZ^9e zcKaXJ_Yd-a)dWvEuX~TbRyH}W4*E8Ht?S^(tKrRCh)Q<{dj@5MVm1AKMnl3jLuf-a z#{vTe4sZJOohR|tUsMjqqkZs?!X1fCjgy5`FMhcW8OwVq%STXfT_bd{KZhQDKkJ@C)io_L?Uo;Y13eqyoP*YCfze&pK-+&C)F;_@&vG_Dr5x$ged+q>@Q z=S;9U62PaW52vtlZU?i2Cf@z)v`-fg#Ua^G0v+~-O*TogD&kSl?-5vp(=h_K6KWU< z6(;POz#`I{A^VfqE=~voT!Mo5hXlPud0E5~XS5J=yjN?ltY!^HhD3`XzdW2S2QtZH z7_#&P!%&ST)DXF{8|fxp8p)mG&k^J>N+@ZQ2+;qBerLafYYsScK( z4vzS7RycS5tZYFtME%LDRP*>Tuo=wk_R1kLqZx#3GoR$)FHvP~z>T$WsD=JzFJMhj z4K==kz%by*O~O3*&3R3v+J*}LX>QQ@s4LM|O{K~rdF7_JRf_6`m^NiQhCE$~ky8D5 zF*L~iL1c+ya6>p`jbi)=%9Es{g;CNIQW{LO2Vr^*KnN17lGw%8^MQXF%6PHRO)1cp z$m`{DLOEI}%W%$@v5?pU;WI7jB`$>FWu_>KEl1LxJ20Dvz^NQ<@!u?!8DMCl;ulE{ z#MYPWW*DoEb}BH@XSDlm6?bJfDdI#j`DfW#C13FU>@_3x%eD*osl@YyGxJFyFq^@% z&t3+8V8L-L*GDTIubhZ;rNP*dz#^gY62V!AN|-AbTmDf95ch{q8@CNBMoR#_MHOkr zqUW?lU2YN?!&5%j1KFUQ1?CH_Ul#W00M2UZuOG1sm{qjTRiJ(#EGHBvi(``fXI4a6 za?AL-Dse?BCQvd>5p2GPc#`&n1X_=TNZegnv%v6L7;(a;JQ-paq0IDG$1)`r@65@| zu|VsL@sKl#1&14Z&ks(XZZpPQ=mb59t70hxZJLf>f&@j+v7z8rJ=`US9A&Tao7WH; zm?d;peCss*A@Oryyx$MfTNsj7W zFVstzY6pjxJOEFT%bnRz6^AdfPZg&xqGij#SJCihXlSUpvEP|$U#yImG_H{t!x5Pw zm)a{_OYQ@-*`wkqO6KA(cqm-h4;|a;vW^a9dq5S#-kd>{esxoiNrF!#O-0{A539kC zidi5X6f}Z<6UsNi9uzpyjf$OdCB`g1P!d$($p6&v;1%S!)5?J?p_76_8Wjv&L02nC z;j&2(yKN;SpdUBZLh0+Z8mA^-6T#lO3e_u^Z8o&*{8fonSWUskVObvLW{Y1yk~EuB zkiE9k;2y|6=!T=1UgbG1KI2KdPZOBf}j8a%x|YcMvRY-b3yVxcsE3WeuqQfwP92A80VC_?+>9}#;in*T8;`q>c~nnXoLxmAnWxNswc?;{uf1QBD2hA_VkSYVbS%e zH8hK``GYrmK$zipQf}I$bsP&hg5LYJA{~On;_!PSJcn8y_vMBqF}YUr2e-S4r4qM$ z-&=I&Txh7+spFPeFL2EK!6yG^X-uAcvxrE5dl5M<)39*y=Se(UPQNrAZGu z7g}UK%=m5HPy?7+%M1;;ZBooeF>m;O=m;e^68@7op1O=Y9YTIv5Yf6H%WAk=sgM*3 zl&pI-C>#-E5K!LVh9fRLIu@uu$pNS)n0`X2As``C2;j!wbjZWOh%WjgT`ZK5^0HN6 zzlj8D#7c|`KW~~Td?^f(h$e3p~SHhxmVPb8eh|1a`D-e2Z# z^7=MNHMj&MNE68bQ^njx>BzSiA&AKMy$Qb&$zvPD2$E&_K0r9FXR&SndL$3}!9x-7 z0hL`MX=0=2+3xF6>U zViZfPC9u9p+v(G@iTP^4EIvb!A`tG4CPobPI5_=P1gCia zkK705AHW!)$a1Ve__f5;gJANmB=(vU+7ROI33T6Yp7Z3}WU@^rC#L#e9J6%jhyh#K zJ@fIN*v;IW_SqX?R?lro{Gj00$G75saA~Y?qp;n5A=8^dP)8wKz*ycH_$`p^c>85$ zS`Bg&b5BKn6I`#Ks`$h3zAsnCbXM*ZS9XNu(@GH`%y{<>1?ocKIGebc%O^hlP)g z8yYC&#k--MZ+*4Y5<)TmU@pKsQ)MX z?ZCYcA@5f^-@85F{dQ~zyB!Y^NJ{UmF(t+PT`4xTd}3Vx-%k4-A3LDNg=XtLA!ay^m3=xOC9B4h^Cbm1!Bs?k);rIbFW6u?|f zP8~@`tqvSblfBJkpBSsIqoX6B101eaK9k&@)n#5GG}= zXc6DGLaVxIk^k?OeyzDSeXVE#QwA-%j})Qlf~oNAgCg`mTK#+uex&kW7Xanj6o zT}9Q)4UzV(6f7(QSpc1%`&EC!%ngP9<}1Gg_h?&ioj0Tr9e<5oknpzKDU3W%9x<*M zx^Gw+4J#JR1XsP3yv5kMXy%qa`%WY=GF(F=F-^YrMSxNbJ#B~kX#gUEZiHwJ-Y4$^il#MBfbqIPzsr{nQr%(6C0=TcYL-OX>fq`I(us{0~bk}8ZPeWr3+tP~3YEjHy4 z>K{?%S$oR|D$w#1r2CBrT5j#%b3xhOKGjHbkPi8M9OJ7B?rp5v3ANV z!-%l=jBmJyanhGbS0d~IwKX1_ihg6Lg9PY#7thKmnc zc$MMTl;h~)W=OkHB8p7POt0*J79O=f(09@mc3m^Q3PLLfP$4y#Lhoum$iHy?5O5zo?3)=s#uC8Qs ze>P^!PfntCu=dWvI&F~^$74kJJdJ%2s3DX{aq0mk->^`oVR=J(_A_mN2;MoaZ3 z&rxTpR~=$Z(?w7Kde1Lymmk~{L^XFH;Hd>G2e2M2-5Yh&Qroe4R_@&2X>>!GAZD{T zR`&NJDB2qNzMc&R`)#IQ4&LOh7Wr&{HVE))#~7(1sBzM}CMJ;1oZ0f`6C6|yxtBVy za~-=k%tNf)7Su1gw{}|0l~W$PuuOE#fqo(#t&f=2Re3b}+za?5n3Pp{|7B};eHFaE z7v9l`sae2B)d)}xpjbr$>^{A@V|NJtX~T7c3lFh$E| z*fC&5Rv04D&%kRWMt04qaOE4Mi;1GL*rj}3v)OfJSr$^kRY3n;?P|=JhFdJ%BJjmV z#jF?`oVH3KX5bfec^SlSc|Q`+b|W_)za^e?Dd*%|{7S|87G^hmE4f!1JXthY84-C` zsyu3C3~s?sQuABT^q6$rW$p@pkfFy`ssQMdy;Y)6#jhdT*aFKypbMf8H9eI6|7q{M zqpH}leJx0kj7X521eCaU?M#%Y^_sDg+h0!omaK{67Qpn^mJK@gB2hy+Q3 zDDiFZ^y$-3eQ)=DiI?Id}K0jX0?P0@Xk~AmQk?KB(cMCTM&0^ zbNn)VoMs@AL`i&V$~09pB@8&>m%PxjX5zMZ{FaTw5jlnGQW5bb4;b!NBPUUKAr91X zR-18=thYWsI!(Aj!9wvSChW~?b+5txB8xI_|ANIyYmwX_NYeh7%G_U9D=qqsY?hvg z+?cnK7ZKTw`{GzC)b5Un+(*RNy*-6k9eTorpUm)~yr@yZP(AzH`Kv#(2pYSE)46P` z_;WCY!aI%^>clQ4#!AA+Q$C7OW-!3$@1Ae|ra-4aoEf3-&rcMEBC?_Xzq z>Px&7T`E+x`J+VE_knhwwRU+Mbbd{#x>CtUR8t^1aJ5fwY5m3(y9f12`-?*{m4%z$ zx*y7hhRlqN+6-o^)bELJN%YPA=*20j>BZsq>cR>1^l{%K^Kd$z)z0vL zUpr(r*55^`swQ7ZlMqIFYW=vhUBlfv#u|zr6Gp6XOU_8)a%(!5f!Y>LtwBLt?Gt^y zbz+i@39ii!M@N!)Ga$S9VntmIjD^?v7CcgD(3TIHo6Z=O%Dqwyf7q^K9r(GdEn{Gy zwfS-=?4^`bmD|GAx`f?8^IEqqmaY#NKD8h+Z-oN6J?&76ea)-7+8s9UfB7&GtSR}w z4vug!YAxeo21KV(yCzk_jqXKL7LX-$eaKWt25FJJ=1YgGtH zzfGGFFm|F+W~fHJ>z170b<5SwV1ACAU}BzkzV|#+eX)!!*9r46exG5UL|NFEX};7% zZ>NpGklMgt$%+0&O8^OHTj>D&HoT=5w%Zit4fM?X+7|QKH-vZOJMD2q`N5(L>VyPK z)aVmdWLc@ENSuggnc_8nFq3!~dH|}0Q-ij9VZ`U=lPSZO@7|@B4ZWBwXV(21GH$Y) z5}}dylr&0>bK!1=I(+ss@muYA@+PN8%(!V|-O?|tv#LFGYR@}@%HjwXKbz{%dGcQ-#N69lx z>BhV7c5O|{EzoapFwlulZ>yymS+Ok|^*KTMtPn8GeS((J~D6mLx(OrXniI#TY!MNty z9H`gO2TQ%oN6lZWb~^L3`&xqE&i+(S=DzjAU3pbJS^0xonnIjuo?TU+E{hwzV_JWF zU!A0P>etOqmbIe#d)|W1!ei@a@5y=mGMq24Smw4ecI~h)({ahOSYw=Ps9L)gbp7s2 z7k1ByETO*1#Pe&O2{qM(gbfs3Ul)>_1MgKB!f8gfLqiD*9a6eI$h(M1ebZY-;8CKF z@3-MBSJZm#NU@OgJ^R_c_Tl~4-7(z8Xi2fj{K>3j?Pq(#*13%3akHED(mw`7;G(5{ z_OYaJypYy`fxb4D3WH6WUzR(1JoHii+XMGEp3tZmiTBXI_GmMS&T$FjfhVX>pCQ0S zvUZz#=J*aN(J6NYm-H|beR{#^Bw{TRlPDXP_u*MF{K@OGxLp6$88m~qFwh+4$ao$D zNsR5=SSh<9C8wT>YuKP4^98zOpZxsM+Zm{@^d;3&-mlHEbR^_^%Y~8qqi2@O3E$e) zl1+J&Lj2FheCYdbdy^rQUE`^HEZ!!W=ncjV0_l8xySRLal=m=yO5Jw;zN%5mcE{>K z8k5`|k{SH%`c0B`e_wTDK2QIKyOrP5#b+|COfHAJZ9MHFUyZ)v*(<5KMlezn`YNW) z+Y~kWEeo@E{cXj(1V{0Fyx{tbv+i~WBuabSx;643XpGe+?L2e9^dzZxDa(?0-$&n! z`W+dA(c6yWeRP`nbTKRe?D4*9U)#S9CM6Yea&BNcX0n19_f(gWmBAPdpAcu4rTWK$gRsr5px^2 zldjuGzO3=cDy;Vki`|cDQj6;Kdh3OLCz2^74u9wJN@&FZ=?|}{ALDq8-@$$@Q;z;j z9$N3d&>gJ;D(#|Y&z|KyyY;CvLBlxZhyL`30TS;rW!3iCjY9mH)%#k!kM`Syw&EnN zZjlB3vNDJ6H56sCE#y(n<%cY*MG_5!J}^zy#F+vTJU22z3~tcP)>CWY$0K|*2kvXf zy83YsS=-&U7W!5#z5gp)?qGNCMcK9)C#;njf5vSdRdqTpAV2j5Ou9}b=t_oTJ9DZ{ zA=}%st;T(G^n;A8k$`rC;PGPAW%PTicbVU8J6#Cp-nfw9$3NCBcAQw6H73;3X7?l0 z-c-4tTAk8kRR48Zdh17of`fu?mz9p6pDKlspZ`+X?d5Zuj%~M4&RNQO%PumDDx_Pi zLcA%A7fRVP1Ng=dmY>h+J|OcD%WzviH}FfKc|-2=)o*NfFrofaET?7ysv`=dX?QUS z6ED7MIwoG@k2@W971`e#>op*OZV|ZWG430&k8ex2kWRmOLt4ze<#OIc)|8eg{f93X zC2v#vEKL^N=L{cJUWpw`Stbv1la-cj%#8SS!Dqc}*waqFM9I zN>3!k72hk{tY7B?o=SYA5odY*E(cYG4Fl6aTZLp9V zRa&|R?jba)xt4s5Duyx)2TAtqFXESp+$nB^bUabg5Xi*{GY9t+RGe3!H>u+}?|Q}! zvl`cNK_{C#t-I@y%9pPCknj6MJ2fd(&JnhGffWblvE3zF@O^5L&1~Chy6>hX@VS_z zk6IlU#ujZ_x60q!j3tFr$R}5F>;YY*mwsU^j7}wKkw=}Ewj@e>A*+8S9vakYVqd?L z=rtfd&1z}&@$(F#{7oYsA}cJ#Msbo%j%0Mo!ColhO`g`hc@>j4;dgARjXT=gYTmX@ zJVVdpMN}8v(vQ;-Ev})zi)L?IOS&)L4D?sj1nI|uu%4*A| zXL#M=yW>|T+S0Kymc83Hz2&GGsIRf#d-1dvZ`T%o7J4VB*LIlr!S_hqTNfdO`g&S7 zSfp3Na0^%2{9fV~LZ3V@YGSZY)14IUI-905>Hi9P$(j9OYZP(OX;e?NO#?6M1i|DY zakLLF5g#P7aEl24OL|-v?=xbinQQnu(ik7hVS0To%`Gnl-(5muHz=| z;*Cd_XSzld=X5ps7F!CX6gAy0qkZIW6(wJ9WMeWk67iervRUca-X0-I5x;Kh5ir{v z_vtmv?uG1~XP%OBtIGVPX%cQfy7C7}xkV)IjhmS^P zztidTCesc-8yS4P37Zolipxz1zdf5hm<6c{ls|v{ddBz98x(K%tW<*L&2ekKi~$3^I060&<1QMBnDf8VM_o8i7mk~28Z)vU`q&?0UH_(XG0&k zKw#}?=wS^cwuD3@uq705=;?4R3W+U24}GE!J3X?YvF%Za!xk89z2ALfu>BxWhu)zO zY!QJtDnbuE!Vqi-=wU2S0DkoIsCZZj4LdBtu$2y{3qit;6v46Hkq{^w06%Jjzy|O~ z5s8fe13?_FJ^FbR+EG78QT}#}I`noV70Ih@`EyCeK*#qJ76 ze-9@}`C}J2O#Wfok7^%ImjWE7`7ptM^8qpy3pT%hOYHBzXxQI!__yT!?hpI-kCYwe z>ZmT{Fh7ThIn2n>nm=;zTlrxE{<_5u8~pcgieNMLU%gi2^0?FU%*{Ta-DF&^n$X#v z3&vlro-F+-u$)dfv5DZw31Qa-;o?edl)&Z=90vQ)v}AG*4X&HCAd! zqL-vwdXMP~_^8sdixIEBrIxV2%lL*MQV~u&@-D0(KTF>_HCsP?X8-WLnjf9co)V&W z>Pr^te!o{UEH)k-O+2rxu33`ZtLKsTjR*ORQ+*?a50llU_x*~U&->o?aLSZuXEcY zPJXJ(n1h3~gWVOk<;K&OPu*bg#MLTVd8RYMdJu&ZTzkLn?a0b%LO{JeE)N~2LxtPL z3-Jx!ffRz?=Py(H?gi}W4mPxLibiam4)}E6_!h>8r)l@f*`U5+wBZWktM1bxidEwU zIjNS=U5kr+6lf1^s@CLhEvhYW110+|Zmu3`}P|7UZ z?@hhEd@UEYg)@`GW}BeNr_bq`a7qQyvfk>TG-fwr3z2NNVi;x}=sv?5W-NFqhEBHS zY-7y1O}eWQJsx+dhIUnJSEUc#LM;u9} zd4Q?iEaiOlZ57scvt%?| z8h+O5nMF&Mp2JV&R2$+iU3m09#8LZV?1!RDxwT7|L(FK?4dP=fZ3XY~dccr2g1KZE zKcUG=S&YL#@~aDjQVu>z@A(xM_>{}3xu2li+5P?E>=WL@NR8WWqzALF-Ae4Pm9kaw zLdo;aKYBctIBbEpD#FYnVd=(GKBTqWM?VX zfX(JuBBUKNxbyr2D_XOw9lqK+b^uSl&06rF0dGd7i^hO8wg)`|K?knSH3w#!NWYB_l0>ucgB=1 zjgN96lCsp1^J&=T$aKJm@6x+Yonz-B?B(}V0j3LL)6;@_JM??`8UT~}ts#kWaO`oPem z+H7l+udgAcC^K;jBg?1@_{;l@s3jIA>~RwjlCoBs*falN;ER~B&mnptU?0jN^WKQD zE~6Gt>{?{Ar9f4oAu0ufLBy5c?^$~MILY{vfEky>Yoyy9+lz_&ijeFcC(jRg7dG8; z;=lSUMvj%6xFx(7{aF0EI@^t$Hs!jwSgz#4?i)ezr~x*?D60y+hX%Pxm-=aPiGTgf zHIw~Dyhx@OA1#%oU6AjmTv@}|{Y9wuA`?bYx6H&c$udV@Q<&~LlrYWAcf z#knti>YtM_W0Pc`fsuNXF}WX}_RGSKEvWj&6r)H?3&ImM-1gnMWU)5v3Qwl%fYu#( z>QLGce7{84v;3mZ-ZCqu6}X&`F?#MM>xfGXI97>K{Yudhx|nD$?m-^6@L}RwTY-_uJKABi=G(0`$yCY1|q zehNE7&~qwc#(9R!;8K7b&!Uq1JEBUu^Y+u$s@Ltyf-$C(lf-Is-vta6ubj3~R~1gr zzM>(q5Zn6dRuauDK?Zl#WkoCLy1Ir+uA+ODg`ElpS^=YvN?fFVjNUJB^@C2Q7@1I| zXNg_gpcEqylld{0ntj((B#V47`vX_8QjzhX`|T2gMMbNUjs6i`#nE6qSf0jV*eSa7_8S9u6y5B{>_#KpJT++HETc5fk(`%e%2Cy#c{Km-K(yy z@XCWX4p*v9KYv=^HlLFzt$wdVA>_sC-n=G36)Z|z=KbUKlpCDINm$$X zy0L2Rvm0OEi*DZ<%;_(^Zql=T)<^3Jz>ZOO4DN64Cn;fTWNRE5ka4P<@t(O*v*@g$ zqMhGJ{i^V(h9L>YTWE46j6b;j$;SZSeijVp@+luzznRSzJpR7iN)cbo>f*HR#Wx`V zEIlo5S$H2O&1bZorRY$kvsVwenOaw>B`%)}M7hSwm*8J=WnBuztv$;UX3Gw9r5`YE}F+K{!WrO&~04RII=Sx-=e5Vx8Hz0c#j|}Na@jMQXEdh@Q*8Dep8sAbU!)G zpURLVbNH^i%(T5b!))EEf+i25WPCMxL)@PPd(|?L>A?5`tQ@v(Ju~<0RIx;u@c~}oojP$2su7vwG0xrgnd_XV z?@KS;g@^0kD`si538(aD#i%y>P=z|6QsX?5-2mtVIWOX?KXJxymJaPXi!FtZ_C@(k z;&@Yi;`Df>Y|I|?W%{|%7*Uz>M1j*?40P>D`$GGbJWld1>u>STPEX{OUNKk+u6LgG zQvVP&+|z=0O+hC%e#W(5<%PT>_XN*DYrJcz%iJ#?f86VDMt?c(>+cKfp9@8o1+F*E z6yC3HN1Rs_je(^8I$y>8HLQ3tl8v;r>KRG#=sgG0Os_Lf?yQO4{D%Kitl{oAW^W4d zrWM<>0q_S@_B6vfl#I_q>@SR7WhHuWdd7x|yZ3(D1Bv@?W2TOmbi0e^K0X)k=?$-i zs?5H5es0WW`DI@R!;2(}^@&M}wchU%b3tzp$P4$0o7ug?B&Sp)X#zQuX?lp_IBo&R zsIQc)$==rG7Osj}Y~>vN=bnoJ5#Pk3*Q7RbP7(K|A-f9B`Ifov4!?+Sz%#2M6ssdy zZX53VDn@4FO;EVu)3u_w%DYRxw&pMCzoeq+<2aACf+_%+NzZGz3><9zCs{L z5Q24jWqRey!OfRxLBSN?d446}spOsg7#8fD3E>vKAbM$6>1X_EogRA$<(0DhY4x>h zYs|d8V~j6Bxb8c)ZO{DI*tYGNHMVWrwr$TE8*6Oawr$;&dv4C%+1c6IU(QLM?sRqa zTh*UBovPpaykdx8=vI$>#Yr@tBH1>7;^M^*q=Gy0eahUYV}4O(FoWxUu|yF{w1RuP zf335&ZaGBKMWK|Ix_dh&=} z?bjN8QrTCj{lVNm+Q?ggnb=rk=V{i2iQkL*uL_2bB3mwmdW`vZ%@!et5HNg0c^yaGEuyFT zX|w0&?rw=KAy>#nTRNSc5N%!=>Ek5{2 zF#AJM6{e_Vu7D1QN)xKmgB6ulz3vD+iv*WxS zr7Ekc__rB3PgI_7lP=sG6XjWpWI-h0%13rr(QTY_KkZc`b#MWd-$FS zP_&pg4E6r{eT=Cd=f~H7A-306?vtJ9HhVAmv{!fE#lD)TdRsKt!#lkJyl^Tr>`xy~ z(w|aK>lxJuQBlPO35Z{1AY0=igrI-4P*7GhPOyVozA3h?g9?d9*TcJ~KDBVO-aezy zk$^LgUo?y5k+blF$>XWPTOLrV4= z7V;$qnNLsoT~a-N-D<9tN5gu7r*vOyje(Y?jVr)w%YmfrZ>f`N70Y+x!~+)w#Hw5o ztxl&E+b2wI=EBm_lsm5Gm(=`YXEBbyRuM#)5X4A3Grs{Jzs$Z1gScXR!4|-UA5Kg` z#ZY~7edjR(T1xFaMPNJiI4U+fJi{*#|hB0K?irL){W|QX*!v&+D>`P%Wa@h)M4%_#JZ~Y zSX){*yl@6aj_{d1;v4HZp3- zzF=~|cRF3?b|gGMeifst~*$tN2H_`9sH(v)Q!3NP^ z7gE^ph6~`$+&KfInyr3GNweyLPl3SC>s5VTDR(6!=7GN+bYD8I)3>fUr4s4$vi2RX zda`T>=hIxbBe}w*q)H~}rd5xBYFd8_(luz8NVd^j*VlP-wYq*(vDb&R#0+G}dqLQ* zqy$-Gt~CYpZoQ6YeqqA-Dtqb}k3+(`uy6*nb5cjRL2dfR#u&3jl`>%yJ)-D2$qi^P zK=F0vXb^Nbyo;8J=rTW+we`rH>SV-UxK4j+{__S-hbppk7&CMa*5(~kg0@)8yIg^m zn?7ilNC+Ocg{5qnMWM+>B!b(D#<=Nl;949T%uoqjL4Vqi#sYAM_`chqA7aGTAgmDAU( ze#7zIjIj5#Q+$gVoj3t_QK_Upbtg1IoYjvvx-V>!dZur?{u(|Dut<@7vT{4v%7-pB zR`SjhEOfx-_gmVOQXhW2fuaY3t;*vYicKJYh|occYci%prrFj?u?HvJv{lizJv_n6 zgTaRAjNTM!ZS}=O*a+8uS*k>M@;gD0`qKX_7=DV^`>41rpHPmF~xfjTa_63joO-24mfl zT~sp3Z7^4rRlcJZMJ4{)?g!JUd6#)aY8qLoDgrV+%^ zKzfOFEU@%U$rOT>9h@P{#Fwo--4%8pQ$e2@RMFNlOH9+wTrD$=43<%W{0$6qHRP^A zQF#S|)x1FnGe?Rj?Sk1wk-?+ksP%R`1R_@@49XQ)LAL{4m|VIvF0`HHfZ0dh%9W(# z)2v5l<%Fvy9P^7ue()*G?IGF3 z#0M^TwdOFwNqR~aX(@)oF%@j>a<@Wj<1YExm$w|RX>PZw2|9y#8^I+vYJxe$0%tFd z7Xlp(eN^4~p)F}u?gvk1oc+c0SJ1GuU_daH&{dP2FBnm^qR>rCRFdgSY%crs`}d=G z{>LxL4INV|_gyoxVqBa1&-e1({x%?IU&pK1 zF{fQG=h!%R}czlvneSvlFE`xY;;* ziq4;G)x9vLwLN=5l29_Q2+`vzEhNW6>ETehM32^w^x6xnaLQ_V#1S4ec4Gtss}j?~ z3CPrccZmOli{_g$3kW9XWi_N6}X6^Q&a4tWciix5NpjU7}fI3)6^TaT|IjYpX02jV@KW1%P+n z{YP?t;GlI!M|?&tRu4z)Jzq2C(8(j=SJ#ON%(O=QOILIIlV(SIt(REA#XJ5RNsRHg z%7Jk!fsY0jz?sF#0XL!8P~*AsK1{aqob`-K396ARN@U2MKL68$te;LEZ%KoIi_qlF zy&NnK`L16b5KyTqHHJW!cs%=sq{lSDoiN<3$zBPIqGlwPMWI97fJDSdwbn|eRbW1B zqn!4_S8**V7+!oIB%#6Aq-JXe{M4TW;8V5%rl?KOiMwm}j6^S@DcWCYVFG{it($2R z;G&-o1NirL(Ff}*UdGU1=8RFh$bM%oo41T*6u9& zGa*FS@>yvoprd{=rP)-z_hso)TfeYoww?-xPCSI+dKj-HEYfRgp=I$=ZJPAHnq)Y} zL)kCf?%zh3Mp(67?ZUsr-wN&?;*hD^Q-?B|2s0%{Xepw)b~VIf5G)6R0XaefV7Rch zqAkb&V_uM-)3Cyt|JicY#mA?mrR8JF%#JNdK}GiI2NU@t0YT|oLAAYcbY!{1a&$O+ zPX$GXWMx#vJnW@Wts(ejrE__-MLF2leeJEh(fi_WfyIHKvN$;+_17Q;!t@6t;2TWz z`+dliv^B(JR3&94m3T=*XVoNCab}eyQE%jlv00^uUTQg?yhM`eD(#{s8S@ZBtCI>Jy9i8B#<4++`@!0{-RKQmT$@d~QVy z?S)AXA@XZc0fB=73Bbajhw2B%{nep@3-~NKyU7%%P05+Gq4D`nN%gCE^Q%`(PWic* z+TXoxr7fzap*b)!-N)KqQ^cBL{Gi(TS-_IyUilfk$pe0t@AKro{~Yn>d}>YjalN&s z{y5*;(f*tr?r46yalOU(T!QmGgY5qE+rI1BG0?Zu806@xdqLb~7YXn2&6XM-o?6=; zg!GCiGzsd)F>!Kxs(THqjUkrvhSHTE=vR_h7+wj4?^Kdl@rNIWFawQV4Q9#C-dsbd zvVt1p*5s-uHt3mPf+$1+lR|(<5t|@RNKBl!f8AS}(xbN>{Q1CHMfi@wj*lNHjS_;> zFrO<|X8RK(4uiDWj%;Fy;SyE&SL58;=gYzcPXiYR6rL5nq@?u71mBC+x6AX1QDwHQ zcQ4}Px9)^ap1zY#mm80n**#w@bw!eHe6+i!gX`CnN3&h~pTB1-WMqKpklkiQ_L<** zaaEn=_STU)^ACkc*CPRkrZHu>p&pBd;qoCjV9u)9Ot;6^ROqi2q9=OtXl;1^3LKwR zI}GQ={S*@U9dT+hRmLwE)b6zKVA-6tvU})0Rg3D{<#wJTq%79mioulBFaB{Od*K{_ z$ST=}ZGg49aIx+7mAA=6i7nN~RBMksZr7J2^JCY}Pk6NQEBX5&zMlN@U0*$zM!xYj zEq`m)jbSAFkIOS;zU-7_30h#{z@S-T5%K=mQ#W~SUekXUsW^&+W9{OepXK4HaqbEW zw#9ThSZTXX@u1cnEK@B~jW3)% zI6J!Ew%}|97MHT-o^bPoDg=xx`z{|I-bk=-CtOHltLM@AMhZy3`H;(cc&_tCo1ob7 z~gu6|P zs8FU81oFEIt5a@5INFByt&|qf2tGpCs0GiE%>kfv2H+jLD1KChB2=?4%t+`i_7dvy z3T#N0Nv~K6PI@wAC8tN^s7!=Vmj~^sSKoh+s`4_OTE;a7>NwM}iei%!lj2Utvn+*R z>=_t}xxSxMTpP@Lq7IkDC!0;?%5n^pxvk#$HH8;JLzU4nZ6&+%?JOJyQcUCwN+T#c zm!ezuiK9--B4dfsa3!U%SgfEFmV%Ag;&3oGG(or@DAq01u_U-3JU1kjwDfjK2A7WF zkZg9}ovDd$*ZYN=`ug|u`^t4?+@54yB$0d<2v(5=&{p%01+Ky`CKB8`TB?ttiRj@k zQe6g0^y+oxgm-?emtfB}wH)D0liz)*g1Wqo|As}h%Iy-dRCB)r3QI{+1br-jac!<6 zBMsF@)ByT8i35i=6DC1o0Lwbsu?Zt2z=9GKiq~3@FR>d8j}VeqXTUJ>G1RMI ze(HdW62W63To5-BCRivx7%gb1P~Pi{ZXG7pmvRUAMbonBEJw}vg`VYM^XQc<=7wE zmt77C&H(rnL>_qvZN~o#?>h-0pqP%z#&K@UyLjgm_%+6WPnKS z5f~B)@a|8#`|nf~cLE>D8y!m+q>hUR!EGQ63^*qy?u}57XV?{?kvP2jg0ULNo+O9i z@clHjff^n2JU#e8Li5r$j2#IaCRiMKF}n=pP0Qx^F?ev84+W_&5VTHDVzZu>U(Y9E z0~&+?tq;gIQSg!f0X|zkbpA~5f@Or zHxSX=|96dq4-}37BmxQd-wICz^1l&?2;_ew6cNb(tEZ39>Uq~%h3S_NF$EWc!jte z2EzD$6!3Vw41BghLUD0r`Zl)*Gw1a!s0SQj@{h#fNo=nXEx+K--6vP6Hx6cY5pDeN zo$TFM>+4(Xd2y6}jEL}G{rEh;y}UOEm%d&Uh@Sh=C$yOi>F6|6+k4^=g}(Vk0ma9b zdt=Ysg(KhagMo65-wa25tndj4*4 z`9LnnnlZio(vKa@2K&af%Pf6J`fZg-@4UOW_lZaGh_6uNXc?ku8(UiDdVSUzt=tM&+`WnaH1O*@K9G z#CH&f+nfxzMG*z(#!(&0Ae=3)L7jq{ap9WcqQ;CPw9u?RqFE)7^H?Ld{ag(+(-%>> z+z-Bdo8u!;zC@%QnAM9+ttzb-Wc&lEtt|x6Qcp4YG*_ zcHF5N@Vp67yIQq`vIAunCc_0viKc8jJ6BGfadph$P&nn}wKnB+lygGQuk-|;ETT^O zH9$>1MP}-6HWq%r;kJl5RQiZsN~tn2$GC5f%J^*1o^#9X|FW4hhT&al21rrlSrb%& z$t5(5M85`sy#pSs!L+k0i&c4;9a3K-!&>g^A6*Ef@L6wHQTCwmxGd1{@*OU_zj}A% z26KN+Uvk#{h&XfaYrlb%*soJjXt1A%h>pH<+-+a8cHZ7>3x3?bRw(-7@%EmH2YgMp zjC#Rl&f2!9iD_y*wK%Oi65ic?kWC*~cgO6|Lw*g<@#ENhmL04PCF1+K@0{*zD{b^C z7Wv8NJ$sUm3GX0kj5grcOj1M#y0~NLFc7iW>OZ#O)%B%9Y#` zGE^Wo{^-&Paw!5qn4@G!CwJ|2l~D3vw{t**LlR;{5R6I;At*^AAa+F&@qgngbBB4x z=8G+tt1r7sU;Gdk^n7RfPqlIRnI+zK0B7_ksfq3~4?ytnoOyt|AQ-T0U=s7o*tIf? z_!7_xk|gr+aF0U5;+|r7>?5<$%k%8sp#%u-*eY-#+;#R<MS;pp^WmM3H^J4LB%#QgY|BH|MUTO5ZpQB?6>;hGMN{atTCuEX*k-Dh2Fs-m8goy z;4$x&W)?vtWwobp2p6jhgf^=s|3$Onc(4Yh-UcX(2-I~*dLLi6C38a7b;zsIwy>{! z=V1pZu2`iBPPvU=!4QGj<0`L-fb1zlmQ`1SAe{L%tJVZ)MEw>}5?C=7<5al=k)I7q z5=R2}J6q@-`y6MOAPC|5?sUuD0*LCwfWM%%X(S4W&e8KKfnG4`!WAFWHR>Q^*Y+Aq zwCSMm0Ti~q*Epl@M56wJAR%f*o+yd6$CR)x7~(i^WR_RfsiK?!gSc3}O@#a+4{Lvp zQWT8!e+xzA#9=s}oO4i8uo&znNyJJfO6TsbPOM!VPSSIvr_JGg#UmjBf|ek+NOknt z07k}eS~O;ktGbd&NXAXwzU#fq-ZQX5@1g$ouGO_>2*AM99>Rcv{HU}|9=xmnDP*xp zKXm{c&R6nk_Bl39swTx0S;NTW9@P2+LW6J_{odk`w>zGiePSckghXX0NSi8tLzdHg z4iOU-Wpy;74BI`ZfB}fpWfBhc8{!p3-W{3Kbc7sG++mF#F|0kE&ef(5)`ugvzJ6q`9GAlU>cGtpfj>X z0k~q80#>NhYIXjk3d!|y3A$E>38fbtLl5$7v2jq@0myiRTk9FnhD3;F!%jeSq(M%) zTqvz-o%{D70Dj!$62#Kf_An1#UbtBPG36CQFJ;bB0-O zxd&PbO9UGKv2+^-2pLKOD^f9Oo^=P53UW=)#>XfBMzeuc~(L{%n@hU5atAP)Er z^jqyx%20C`D{&03)C!WThRS2Sdn`CK38hem5G8Xh)VVye$T*ZpN`;EW0t?Sw1${$i z2ux=ZDv6_2l9Vr7TpvfPCCYx1#a2dvj6Qjx}>O+}q4RArFub{g%U`Gj~^0R5l2n*`K z=dFLyS>Qry&75NKHI!XMltunoIVE@`l~*eU&xAf-Zu!qh3W(kO(VF4BQwiJPFzG`u zb+Wewhh=B&y^{~r$|#=b#FDe$_8WKzJZ9#5c=L~;B}~pBMZ-Bmf|~iL_2W6+m;)zY z5~o%~+!IzZgC&Uax8+oV2Foy*cxirlzO)wb?DTV9FZ_Nxt@kBcMD$Z;c+i5^`+1{fNF0I$q zCFt${GvpO%D3pHA2a+yvz++$jLI~mZgXV^5_T$6LaiJI4w{&$hv^4aj^J8o8M7zC% zI8DzWbi3xlP-xO5q)epE-^j+?3QS<_%+%*U&mUtmrddsyiVu`1dWFYEqcyElP|E*U?y+NO zMp?Y3-k|-BN-unXL5o#a6E|z!I$}V7*0%I65TCS!ESrLX<|8!Q!h?|BrL-q)`0s22 z7p-HJ?Q?1IkCL+7;ltLM{^#VDVndjlgwzk3%aKu>u`gfBGTDG1$}xo%D3$J#X4&cI zYN@JLy4uko%aIj-PWzSZ^dUw4mD z7CBt$(G=7tVpb8{5THap>Tt2?VoVn_!I5@>l2(bF`c;H)Lx-{UQ8j@O3v)%1rDEoh z0yfDK{Gqe@uPr&++Jt-nMfB79Xr*oe8~Q1z@hEZurZ8Pd_Zc2hpk?)vv{Huhfl3Xt zj3&JX?s?`gF-wj@tY{;5sR_X8IW2rM^|5y_*?MGyydq0PZ2f8{M~`j0bneA#Jct^1 zWWb+O3>rF_gAmgUx&sD!sar>x5$V)Nce98@b-&T1m2a?=cgTCLJW0wJn4`a4Nd&ni zwc&wMfT}?1o)G;34l;1xOQyZhP-~AYZ-Po(CLCumR<#sSg6sb9)h|{wy|pS(V)ciW zeK~N%K(SabCILr%3Kggh;(?M0PQF8sjJu7a)gt8djy`Tt<4hsC#DF0u)^_au$dwZ{ zXIXRTG9mzrLqaTM8h2P5eg?@(g&|00DaOC|h(Oa~OqvS?;hubEMm< zJpnPCcYGbH5VJMOT81z6=qJ4~$Lo+h18(E^Mm2P+{YYU1*LQ&T1W~QG#djqgw`{4;smsbsz3f#?i33hda zi(u3%Nc+PnN_3$C#Y&aTzS{h%1wZE2W!l`73^-R-H`MNB z56o_x7veC4$q#?%0&zpR^B0KkrcQ1b$ldMNyb!rDkT_HjCn)%Zg^{urGOwa@PCZ{q zNSc^?Plj3GJekw4G+Tk}571ktBy}|`v*9BKB+&xb!b&hto@G9BL=s#Tdi!HWg&6g+ z(JhuCq6SM@b`1}7@|&?Exl8!U3j0JlL4K-^;>rGeAspSR2Etyg#9cuUq6`H?09{Qj zZMt~i0TZU1&32{w_!T{jCL6hqoDiS*zWbF}nz4a;%3t)ZHltvpn=J)^>kvqjTD$b* z+x(MGQf|W<%Y>@Tc`xU|+3EWEn-hMI3F>Mw| zEh}_ARj=_KN@^YRJuib@F5Q^gvmLvMQTZnfyi-+vM)`<9>dY+JAZ4L7gg>ZB;2Sg5 zB|sB}ReTmETDip(y%rVqstJiItXd)+1gPW7O>HpnKquoI()r zMPKC(jb6q#b01fWsKG8gE}d_b8%fD^;kw$Al5V}y?08CzwOXrcZ9DC3)U#W2qV2w^ z8@v*Ce`@Zpay`la=)bkh8>qs;fsCrm?cLun4cl$wkHJik01C<7B`ka*LIsOOSC1A) zAf`b~9}3`Dwe#z^Sb?Tvcp}01d+VDB;NQyoeBAc36s}?*XmL$^ILHE@?w;!P*vV|S zeK~FKZGVy4{r3&AKkmXjz_{&Dzf`1UeTNH=mNb$PNit&tGh&~a`HQNDO{$RYwW@SB z!x3fOfkejL$AX7GYaleO|J&Z`!t$SMXfw82cT;%#ITXhLXr)@#Qun}O&zjuwSZ??q zn{HvriDapCvVqh%#jeq)=HvNvaE^`Tt6k3%OuTyAQI%uRPh(E`1L)vFe++O;sH0lS zJ6`5n%I|WLbcE3n>=oIH2W)Yi4WO#4U5a-TS4|lq!JzJ>qpXnT*qjeXlK@fD-wCHJ z4J`CZ{!uy`g+kO5>rA49^{#?66Z_rPMKlj!)yA`uvzAl?jJ2`&ZsVfrDtW^S+Q&;V zspL?K!d*U7T0l7me;l3?LXtrT3vTVrm`m6A9mBrrLWMjr7Mx$s(@R$zXjx?%-7Ymd zMs|oDIjg`$Na-AM$Y{{!^TPVx&>fX4VyrjU`-O;Oo^*D5(9($ZoAGv)8nm_387}p7 z9O)Vnxz4UZe2vR`2)wy?PP>u#p0N0I>OgS<^UrD}7uzDv#k9rcbz&XICe^yduhe`- zEJHUxK;fc+c@_7M--RB>&^$q6muxvD_y3qg08p?`u_n5eV==Z;QfTE}Op460E2iDH zEc?I4fmI6>coXtER8-%@ysWIQ?EB%Ik6JWiOy$q)LrZAP)Zu?!;Pn;B7cl)j4G ziF30MAit8a8+BamicMY7=~yv&NS;Ot1Rvom@RD`Lgk_ZKJ*gVhsk~QZug`5{kF{uO zzH0nli_OnQjTW4Y4Ed1$m8k^ zSher${JFHc4N}|R3R2tK62Rrs#(-n!0{)IksP*DS9wpBq!aw4SNdw&lM*Pj0I8aQP z`WcjsV#Ajhy!FLuswY)ZS9*Hlv0SJfGzB3e$p`Nlq z88rmmxgaM#J)t4Kz93M5iSw__$mzT5pMCp5R zamzuTp7wJ$7Do*C3SagPq-7mh4mwxnW@(w{T=L{BAjvl)3wxXsfhqwCv7`U zXQTBe49Iw|r_Bnlg4T_y5$rHJkh3MHvao667ldo5bH93Gd&P1FIbHH^`cCKY?(nla{ zUVcUH^eH&H)^!9AnB7Ez%^jAWj^gusHp-wg^#r3)?{bn9EJ~I~AiZ~c#L$4s9|OHb zT2+g1B2wd4g?pn2to+X!3EdqXgedOal%ruDc7i66z#$RMg^&h%o<9lMyn77bG@$Wt zrfxTGDZ-w;G4RP&cSY(0dnF$+L;EQVut5oHD?xiXSlf|BuAOriFy0|JZ=;Tx3wCY9 z-haT>tidRTsGsT5T9BXcxF#JGCOn_H5cu(y>ZSxow(eTIp1jKkguTT18AcE%?^GGY zPhM|L(u>qa@Mgw{65P(ZMHH zYgB?*A&)7ROlSHN~&2ze%NK*V`$XnZ(N!-}8qL|Y1XMZw<7-_>hBQc{R zlw%yTrls!==K?_MwAtl6S5I~AEk?IUz3r?ixjvW3pN0NhDgFtM)2A9e^r~Hsarc(| z*?dF2Cu_~s+*vp8{4kV$RI(Ezs5+0VZ@>qH_Pi$7F$g=poO{$`E#h_*QQF}3Vajhd z-PV7n+;KC}W$TbeO-e{^SiJQ_ACorU+ak4?BgNp$l<`XoEci8mTKsN5*f-aZQ;qHG zA}OvFJ?@o__fA#r`Mk!!cf$U&Bm>NW%XTE95C`a1yCydT z6iUI*>&`4olByF=b#*44h8Do`P>7L{wpfT^^2ychF3#U85TJBq!t@xVWLn^3K)YO7Jt4AWTZO{*`~Wp8g>W3^-yKm8qOJ1oLv8!7+~+UWWiM&(FJAN)gps`V@!DW@L8RbwsY0=i{mc}MNvgj zMghNqqyS5C5*pg9Qcs`OX&mVY(?JI2A09AR!;R#rRUHzm2_Lojzj{Pt@9pV{)62J2 zm$aI&;)MnSYHf=)wriJf$!v^uk-0ayMBQ0VWXdr5oyuZeKQhKY=1@zgmg+oG1Y;qd zs@@BZU!0U_eGGP~iP#E?R8BnJPa+sFEO^PL?`7)g;Vf0s9t zWcxF{{A!UO2og{m)r7(W6}q zAC+^S%WB!-YCOdQ{URZcD9|4aY0Dab9s&u*R0r}$Eo-VdamTn|R1h33^Hl1!56m`A zR_rqs>xJxq(Gm+hf7Via#*Hgc3PKS=w5Kz%Fk6`KydO?V|AD|rX(&BZZ5PS?aDN<78chAb5RvLp64q-%8R zd(mfmmc8L5iIoU-CB+u_Ldy;JLl*TpJ{jtH7Gh-xsy(Wu4F<;<>oc0iW2Qa4$nG9_ zD)1WH)O{nPB5nxmBqK>hYQHUUSUc}U>;TwJtE*j|hL1adt{4miY9 zt_ew>rjs2tD-XM_1hR*whj3|!fs4YW)b&xks3T3aRB4Kv02vaBb_M0L3x<&`8o zf}H8PA0r2~t)iK*RqbGX@s?SJ`o$|VpT{B%u33Z|39sUHTOaq@-q`|zwZ~T;NS2fu z1y`f1Fa|`Kk@P^ljT+vvV`=X_eFBiN&^=CPz)})XmP+MK1D&1s;~K3$va^a)WjUA? zuWwCIZQ4>MZGX9!BMXmRFTo?pt-dAd5<<=R9AQ{17-BOz+BffRiHkdfCIa4n|4aM- zMvbQAD{34OGMm?Khv&M$gW*bINN9@HTvYS?$8i@}4kvpTF;yVA+`=(5%T*ZU;1PBt z*GRjSZ!%?-a$#0|GdHmu=V@d93VnlvFwZJ{pj0(v|KjEOG8H;$K5E#zd;F@Lxzw33 z*kr8?bCSDNzjAvx3v^KEr%RI%xJRA>M1dt`FXk^!La2eS-l^kN$+-wpvn9d?F8jF= zG**(bYwOFJD%fnwL>I?`Jx2{Cnpw}KSe2y@==n&gi9Rl6tyMx``Vqt{L?VwEOw)%x z$31z0zfkH3N#hQ$aeU`hE&h}Zi772DAQ(hXc))FcZ;>c(MsbVZzo<^U{2GslkzPS^ z_QMm<)6}4}b}mX@`(Wuytf^JOzN(2i$>zu2hV=yRSo?)Ecw!xJhW6D5YYS;}GwOk4 zb3kbgB{Fiyed2%hbU52e_RV_}pp)1E9YFe>RTO6KfSL4da`mN36`ip0bA(BNYz{q| zuaP^^igEJ}Yn=4G5iS zOHdT%h{2V~3Kwx+A-tddwBHSN?d*S@$3WD-^``jt+5a!x4`*SYzaaQLF1ZxMM7)&o{KhXhDEh znEM9^J$}?7s-_q+^AP*s%V&_w zlKM7)I6RoVoMyn%#flx4?(ce>7`QVZj11Y<>5QpG{X-Pr&>^&E`wg}!{La&rFp*9R z6b)fNHhO%=p!uY#$vcy#9x;;$j{iXa{}Um7|A>$7ml^U6x;uNqxHejVeeL|O2dx30krx;hW5>8h)Htt5KH^-l^4lmPZaLLu- z_`~a7RrSmj-ac)tw<#9~+E_ zS!QB5<|yq;mzXxjz8JX<>)+w-wO$S$pU1)(AHnNvQS5vtvYj^2iXJDAr^_Ng6*DCzE@b4T> zbZi)1^sTR{KCEvWTg1Gc&&3)Ala<}K@|qVm1ecdSgwUY9c{$9oXYtN}pYQ=Y7}eut z$B!HNSiL8`&w0ZAnHJ2nrOTnWtna=x?CBUW`u8yY`N|tzHWoyynTf&kXTvj=Qt(ac zDZ|>VNQqR7w5gEnX*dzN{FSX`qNeU1QJ0{ai8cICEnHd-&^-TC^}qv*3ivFjRLt@4 z+3@gyijwL{cMH?XctQiPXlg?qxV~XXS_-?2SG|9xMITIK2qg&8F=*c=mVfzUvFS-I zP7U?ZHYa|yF{xDO-@@9;m0&2wWn_$+i(t)?&C@Z_3J){q(ljmJ5*s4p)d&E=mKtvM z$tc2@(qe=;hGdb;CxT0RkO)^0ft-f0k$_V~cR}F@&GEU4Dxn{5^Eb*&spk~0ADA1|#dD6z1F-0TC`qM2OV;gChzyB4y@HSL`CGq7YJyIaV<)Zmps zEpNHkyR{Ol`cL6gp^*#fsY<0g*y-ln(jxw%8~S&_rq9-+d4@GR4ol}Tw}f>sPr9p5 zMKh#BOw6H$={<-rh1pVTZUSH^;SJUT#u=Bi(~#kF+(LD`>tt56>o&-U=#; z65DjEqXTUe*2iE^E9`;wQA$jjr8^%7k|-cV#1|M@@By3YstdvFDM0E9+n!eAT`y06 zVfTj9I3<4>S@lXVvIE>tq^RI7PiMozGh!u!GciY5ex2_ffVOs)7V|cNg+fdFll9V7 z6E6MoV?+jD#Fs=0ZRq?tUt(+@e|Bfje_Fa$-$ud;{((OD`xm^EuUEwFr#D{FAd?6* zcsCIgzB$n{!Cp24jC zf}NsM%)ft`xZbXu*lfb%5u)p<9IGgKVB)E~&dNXMNc%844Pq|~R1-E_w|bv!-im5X=|NLQ#% za+P9N>!QJN9L%bOw#f&eoeUowj`J~?adVmam!Ll;q zq}9=HxZMUK?}iYu4M5*CypetD2OwMZgaefOm_c~qN$_NMDgPwduj(iz zc|^a(6QPIz%B?-sZR1I5Lk0v}sbHliMHGgEM>B{XD@J5d{w%f6*N3PgyKU%kec z<1c?cs7=)fg}u9&JMppv5C(7Iz;Fl8P4sx(ycX&hgpbnkP;@nmBUzKiQBa^W>UguH zw1KhIF(1hTi-*WVG!z>&QhL| ziEMq6G+|#AUl%PBhJoGcRrV9}+Hh63sL-wHla0-wUphJJ2%eBneFwYc)7@cDacz6H zzlEm1z6TiWD*z!TC6Qs+nDAsB=VxV}siW7)T^wBe9DP3FKHw3eSqP4U$|j`Jza`v% zIOAW48Q=PVM#Ya>41AtC?po~a{NFqcaOA$I82GUGQ83(6aJBN-V)rHJt3FgJ8 z`K~&_bNTOEVIhH?yabQAVI*k)fFfb}*spd30p>A;bPYp9eL|Pj(Oy#xxUp_vhTBR# z?_%33?1;X5+Q&ZgUJd}cwR%%|fx$S15IY0KD~8KL;XKx^*tFvNCMsuQP{j$~$wU1p zX&PPcx1EUXgb0bohz_)E*4t)*J-ptJwxXnRcpfO=-A%i#Y}g$@agS;wwFLznd*AUw zf`1-GIBGn6q{DYKLbNX+r9yE!M6AnI#84quc=Q@ETXSdw^1~Hn0B3z&T41q+ft%Uo z^trGd#63n7!2^N-buIn^3`dl%+khgKM}Q1tEuLa?L9q*&ngKLX&Qnr2izDFxN)D4O zwB-tP4brl#B)0JdaU@i7y)eM8K>4Kd$x(w6#KxsTg&q`^i(7D98y$kgMBBlUomF^x zrv$XLI_9WK)grCM(>z7+1W}8CB?wp{23jBJ?fO*~UcL*ko11+PBE5C;E9fhA!;2Gz zDYDT9SNvLw8x2tCwQoWZKBlgzhD>5Wg)10&ZSn=|uqVJ$C|8+%I^HRXcAl$%Kl68Iy?6`V%P1#=Pyxa1RXIO zDhrng^u6y~oE#B-&b);Gj?@c156y`@XX!_rv*TkeELEYD!vUKaP#7u}{oo0Fv8G8{ zc6s7ODJk|N?`2d7z?pj0s8T?#Ck}-Lc$K2DH-G(x-v)62 ze5B@gixbugJdbxSePHg*Mu6-C-Vd8~m5ZW4%sB|GFI%~hc!q2nzt`{d_An5pOSwt# zeu^gfbbEls4+AY@RXTmCNz+6n_rvs37c;@fIj%+WQL*-8g`ZxLIwBY`qiGDIbDSUa z*O7*krV=^XBdGj%xKJyQ$XtP)ffUlRs3R}gZF^N(ulgu6&_nl+<2?z6oq)jRY}g1Zj)$m2Ko4&K2V z__)urgZIVnr{MM-;Ntdu5r&HcfM{C-4!9THKq1)pkrAwaN(t1zAKj5wJuk)jlIuP8eo~g?FX}h++!oqq*H4`lpX>1h;NRg^MF=w3Bid%Tg zCzCE{kqMdPe!ko_+uEr`V)K`zm!Uj$P=Z~XenBfwul^`aPeS1Ui9xCODmcD1L`^;w zy_Na%7jkXsK{3FkZ9yUbTcCF|adq6?4S`{O(-4r;-ALJ92&1dLZM4o!7W&&udE~7I z;hRV0Rg*N64fGe^h}HR1%LC1;8oG@9t^4^b`{<~AHpKo>nCthQoh0!*hwCRkzI*Y9 zbI$wzN%4nc_NwRq_aX8ddw&x->aE~!183h8@0us`n_Qfi_)JW8;oWQdvwjiKd2m)n z&IW(Z_koKhuZK=o;3*}uOib%M< zwY#uUAz&nv1po#B63=&f`hI$EF?l2uTWLlncvT!ptQgWSE-uE_czJz3erBjp)R|NT zabU6Kmh2!fJsa>vq709QzA9YT-+#|ZUm8_f;YzfmG9qkp#tn&+*fp=jLSY+ZPJGrm z{QW;KiQ>BFRVyWL_V90da17f|CS~bCN5hw$_psSgHB)))TM~I-vm84uKJ=u+oJfmg zTCz)*tkQegsVKPh_4V27xVL+3x8$z)_5U1hX-_6wf+S4sjwcRj<1Co%51gG*O)8Gj zh1s=^Z-rVno8_3tn6yK?%pAdj1*7uNbbV22Zu7_NHqN`DDyG=a>w?ZAE4~O{x1&9^ z6`GTGO)<)4Sc$)F=nkt^W6nODwK^Db3aR_ND!~_XXk4t^26X(-fPVUmCbnHULBjk60W=wnR$10Z30BsrtZ!`tt_ z4`^?><&P+u)a=4?yK>7GW%)lm=#(uISt>_yh=6*|B>8~x)0k{kZK-CJPrAO% zkvauU5-ynzC{gBAk)&ASu*J&^Wqh{HrX5)A^7sE6 zz1&1oY1*+wzh30__IsW5@|KJ1{MY(&iR*9I25-e3*K6)s{`UI4Y9S;!jcsyeXiWM; zpwBwo0)sXMgNE{)xnUJz*V`xP8dLiwtvPO9J;JU9(V~{26QNqmB!m5N`177K9+VRD zUWc@@P2eSM;*W1e?>9YUfkZ*C&T@2zz7aJ82vPx4yo#<#lgQE=1T}vr)98qBJ4gyl zU8~G4IWIkt=ZrQ?p+8d}UCJ@?OPMg7ZUB~Qh%pD-!xOTOvU~<9OYyrO^s9+u&hv*q zVne$<4!eeLS)hG|v>%qZqR@*eQb36$jY&3$%KRTl5nK{kki{Wf;CEt9+< zEvdZ z3WTSItm|sv%QXJ;Zkt8BFYc)R(qG(L^a-PsA!Z1-YQxKkOf`rUtXuc0@$dF@$@s}l zbi!#hZR>yZ^^4PrD&-*q%*VnRe+R z5ImN+{Wi50!4+5qKr^>jZ`)d8#@gVt9va)v>R6nB#=xLfCuL~>0=psNnYZ^CpPmHa z4__PrHe=inL+`2)o+J#)L^URf`i|KtDLU&49u)YU`FA3Eof->!Pb2*z&n8x-2OQE6 zhLxy1u_tYKxIu!od1OZ~A}uR4k#Ji*&1Fy98yOk7BiC9HkWu)~6`~)F>N5@UBbc2& zNJgs-GXexU1nWORW*ORyX^n#ILiU=Y#eOt+S{PX&uji8}Qei&*C|of`vEs1b8`iyn z+n%1JED$y1QmPax_@=p==mWK*SUFfn$|Z@gdZUUiq9ZXkw0vMT4&p^@Ib(d{e8fK; z2VSCeI54}%VuK<(w%r=hTiGLEx2!z3{8{=-fgEuzg|h*;N5T#G+HR z#sW1oa)%6h)u00nE+bszwZS%&MiNq5-CN6%VY=!MJjU};b36ktN@Cs9D1KZLC4Kq~ z`RPS`&y%`ImnVuOyZ{F5umTpToe4tS0zubal;53a%<*$PV`qo_kC-1tGL3x))zTPBeS@HeiiaGMLKr+0 z#!rOZEW7Winx!dUfuGsJwQNsGvmV}a_MC^6LuWblKUW-vU0Z!qkXtFpVZyy>$fXN- zM7BA@2@UXvtBxcsMWbO=7(DL0kL4tUEguvvGmHCF1|kNX z`^;GYqUZUS+bDIje9@aEYRlt>%$V@gQjwaZjp3|;|Al$!Fo27JKb>^r^-K2qI#R|q zJJ6W2sNWJlu%}_MCspsg9a=q`>J7po6XU4l6FES;9tli(bc;V^ERu^rR%c*stz9cF ze1wqYEe?Mz3U6F`A!PfdELj*AyN%Ex7wnND%kz$W4}Z1=Ow?gfuu ziMj##zYy%rkP28}uLKK%uLqz+_r><4%+h|lVcSp>;sA9?Xd9KZu@(_#c1wK(6a~IbcpkBol4-`<)FJvR~>$=bjm5fcw?5{hM;uVy>8 zlr1;Hsx4FO2of8e`hc4A!(XJcij#A$=GD~U}VY)yFVCglZ{^f<4gN z^Ji=Fcl$m~a{2qaMd~j#wbj)eEo|Y-j|&*hm`oWIG*>*FY=_FB>ZS6~+vrE8^F|wH zdk|x^YpLN0{t2KE?ux-yS8Ckp##_FS^I#dIBY~lK!ELomd32C4hST}nI4_Ig1dOPv zu(0UDHgNX5gJYZ9*!dARJNRZf%t7ynU1Rul5%LtCAJq7uwcED{-%o+DgR6(Z!NXR4 zs~gU=fx#CN1o!{_fIg5=3F9qwSJA&^fP4RKZhbMI$U;3sCW$*6?2RBrdz0l|bW5oT zYNzxM(}8Yh3e4Na$7X?kwzr~SlIaaD<%r;1N-u)R=jD9V5c%Juj;E*aM*l&`WIQZAfVxZSrV21X5 zEqFi%Z;lYhsf6IehLvtH7hSthq4c$V>BaRJNl5Z==|+G4A2bV^Mcf&nIMVrY${+KP zvO5HRe;)I1iG#;A1vr)%O0;g9z(fY)x^x`_PXh)-Nl_4VEQbv71!aO))afneINPr8 z%QRuT;OC7WueJDG|43%s|3t$tt`gz}6bCm4N zAR>pBXabdh8+YX)Hx?wF$kuj51RDONZuypI&4b-(o?$jA`H2r5uMPW9b+>i#N3>B9 z_4^~tHy<)B6FTh@5|sWz8JW1`Y@>!ws-qf!)gr261rUYk_QtL|HwH z1t)b+kltM8GFMKcmz4BD@21dkF z>LEVUsrp@%dtB%>0Om{3<{v$AF)&>-N&-huHHJ_Iaj0*8h(u{*L2&%B9J1BQ6&b45 zhjWC&eYp5;qFr~meI)}&EQMl&;zxaNI~ppVv*ZK#YmAtM^q0ZZcdp}Cx;;_gJ)|0y zbWC`{!!ezak)oGN=M+KgA931gA!#iwGfzL)LA1ZCpcVj$Rr#bN!%b85x;#BSZoQ!Uk zS`Qf0PHRNbV_9d_enr0o6vf97LEdP41Y7<4ulCtHIpSH2` zP-TqqVGyGs!skAqF#hhQ`qG`c`q-Oo_#u40#`@FygHYDQ{wj5DW-=4(L>Wef)d*ML zROqOG{wNjZFjS}}KoFsW*C-gF@>uQp&w%T{!C$OA1Nn5AL}oYGG+TA2&y$6jerpN&yy!E0yS^yLKQVe--K^)XCX(`fW1nZRwW zVw+E>qYuZ z{qh>Q+UoOz^=pmE{Fse-5%SLaY+O}!ZIi1Rt74Anwu!DJK!c|&P&QE5DqQGeNF@0F zz>Pjo(FV`5L6MG8Q&FbBP+~T&iZ7~+*ix!EwN;0kz}!8a{Qz3neTTR?m2`0D9z)fY zg<$2c)cx_lISj)WD&Unr-m7n~_>jV%ae;(B@g9DUz&Y|f00KBk(T-R|5~zo6!J2pdwbex^lys_MM{2!z<5(DzKYs@5m-!}`*wxIm)kamEXN@7 z?07$m;E<`R2Mgi`K)iSr5=15MRP$TQ7Fa(zLq>2!gWW@HQ8$t+CDS6JDEWfWlqc^T z7hY)xt$0Yz+2+dY$F#v7BdwiTWO2%~Y%4r072rXcu2rUyjfX0#xeBkK(>|Z4-jtCH zK<{Yn;g!0r7jJD&d^=?s3#_M$ow$6p?GRZNE)9THhBOF|3yXnqKlgU=hJpLr47*Dq zYfUkDNci-3fz6Xh-e$DS6{t}6zgk1kgT{cYL6)1PC{c*Bl9Qqyqj+S7( z5kDTJ;9#HZdRa_yIz*Bbt) zhx>E6qa|T#7S1$g{C_w?`JBn~@hAfPz z7LuH}SD8A7#94rN3+x3NgxN)|X$YuV8%^3;GT=LAT}@@Kc$7xAM>o&_pzf%3>P1AW^rTeu9Pmy(d;`!wVyxDA^eD% z$-Ny4xnD&JBELbaoZCj#pFe!=<|8idDo=0=IlO~DyfGX2WJ*wLOl8_P?S4_D$zkq+ zWcb#_R(92Fr#LNby?}d8ghH5e=CfcZPXF%5*Sz~s-PxE7STbHcUh;!R$5qgTp~lCz z!V=bAkIxlv0zdI@%SSNFQ>0dP`4Zxngyxe=h7lbt^xEf|l184TH)_}&KiB_F%IA!2 znE#iw*Y)=`h_?&7W+v1=O%bDCLj{Flxxz?Tl|{!f6G|_S&D`Aeh&+sJIKVdvCvmZt zci*>m`TLtf9}r{v<3`v(6cmQ*zX6iCuUEn^#63P0-MM8|WTaUzMlgL^WlnRXQ_uCu zqRY5ToJ5`&Ikw~v;Bi{qYJLEgZhD7y$A#>b%Bb8i_jLoIQ`+dBV}PUhOVOO=rM3n~hZ%kLm0CHEY+s-x(;u=%8mKL2}Y;L2*bK4HOhQJ%E_d zlSIfZ3*z6^6zjg}=zG&n*?V6v2T>nBLj@IQ4gSZ}1EB|2=I{CQw3WB}doomoKc}Db z^Fm+e9&Z0D1rLWk1l@$u@eZwu?aB$}###*|> zTmkKYsAQ+}`^7_qH%=(1X_95mHgfY8yq_aIG&X#myomj3kuHF~McXs_WJa5)DsCGy z00B(@)@PIg1Po?ylxKc%Qo_+!FdIcR!+3v=0mvxwZ*0IQg;ojfc4LEZ)HX=YHHPIn zSh(p`!biq#t#y8MQG$o{YOgv@Jl+pYGh3Xuwi+2lFey(O-6?G$8y#grIJYPWM;Hny zx&=q5LXiI#;7gDk*@a0^H^ab#!6F>VM@O4%ebLAdnMeO50|W5Dx6m8!8ExP!|BZ6K zFN(flZpDAN0p zt-Ap`-9-r{n&pg!hNIf@Ej3ZrhuC z@N8lMz7$*mRFe?hs!ejq1=6Op&O@T%EmD_s;q z)EJNu;1v8do%p7f*!aTU61butYvU^M;08R#3Gx_aYYA*@lzz?fppSo{jLNjXd7ZEQdo|; zyqVVprq_0HS@4-Y)y*ff(>kYs@Il;lZwhPy~!wBMUzaX zzrMZuz}N)0=w>!z+sm~wXkUI}UkYr$z?}52ZEX;C!t2aWVe^7Jn&%dpXVX%Le~!J6 z$Esq;Yy2gvx94I8Ac>xt!?lgYOl+TPu&kITIkvtI^$T8%SXx&j`K2#GT3cep1$Wv} zEThe_ut?0z*sypS9QK4a-xq45#0PMEy%#Le9r0?06ons6f?0Z$BwrUUF9^Ww(c(6w z`ouyw25y^1|Eni%m&90e1xEV1J5%y(vrv8pm9d(GTOLJd zU`rVmv&vAs{-mOzJo%OYf<}kYXMSiG(M9u;{sAqHEsQQI3&Yc2w3F#AE~J)}#crnM zA}P2aEu0O(GGGLqo-1^mpG3(RvBGUwN?(T z!W~Y9a$3Xc`?b%jixg9FV z#KChDwj&2!K@AKY_zgMi7GbFlJ$^&|@pGa}0$Rz19~f-0pebitOqP99<)TVRUH_?#V9ZASa)kcs)p z9MVAvMtK}3$qdV;xmBtljF5DJ$h;@!)VPRuI3VbGr-uwfj55;8&VZkq31oFz2+5F! zQ!Ytc9Xp&wonU5Kv(IN5yQ%=li?9OM>;ZV*( z*5y?}0y0_Q3gQeKJ<7FIRo#MNypTlE0shjFBJv=GLCWgRvcB<%L96sLpW{UOUU`FB z=n^gNu#5-_@IzEXdl!{|I2#NR1eGuPHT8!t2Q*7^YODEZ>McRQ=}In+ux_r`rQ*H? zRY=!ef5#ChWhw31XUaAvLd*0c1ZbRdmM3OjnV*jANSFj-<`u9zpb%C9fIhKNYA*g%y>=LG#M z{0y=xjUu+tqTOGK^T-ixwk(A>@YVmP<8#Abw(O()azORv>-ov3wbCc~uM_GCHm`eN{G%Ex+XFcE)|n2&4Cw*qV_Np zGCp7Yfi=WzydLw1T|a+50&8_>pXx+$E3%68L=4dHTw?l=5%zjDq9kW{Lo)k?bT;h3 z*9H78jpMHQ!nWNY=Ee(qlQ42KBSGG~Z(n zx7$X;6#Xb&1dq)Go&1Nz-}G7!W85=8oE>LlFCzV?_;K`arb@jqA!$aNi9yhaE`=kX z*OjBj-n}UAs(Kw0tJYT7%fefYW}XQY_LwLl|7fv2XAo{ip)F&YIp85oaBl_xOe_Wn z@qq%Aq3Xo2Ko2cv0w&-v89+5-TXZVhy=N}dl8QjU)g>oHd`)4s<0;Eo!aHDMko%ZV z(tA;Iq6y#mS0Bn*t+66*)Ta?mWbMNbO(kOU*zD|Bo?gz6Hv~thCq{wzJu0 zx#HK>$@KhNjpu|Y=GkW5hhBkZffc$Ooi(F_v%F*sC0I1oj_oXEyTg{3V--P9ybCYP z#4|kZbPVAtg+-B$Wv&BH+P><2WGuXk&;HZ{U}sRxq^i`qNO)&!sYHQnZZc7-IBzh`RV<+GD>?FJ!2Crctzxxl%%N!J4mhT9?q&{Y$U&_WP40 zUT!c#GI#$Ws#krK+JXd&U%DAt(a_L;d|Fu38F6DPeXK$Zip654g+X*21zlYPuPlsks-WJg4cZ;d#;#wh+j*YR$HeZ_QIldGAouS9EPhn+Y zhSdBakq`1=5zAPuTilDi?x(LT?&`h|@h44FfL-+-tiN;8M?9T=+-w_>I9yz9KzELE z^8LaVTM(VkUphedB$F$3QRj$xC~<=%#tqtFM`3V6kL1@AE6wH8| zDKe$rp?$g6XWx zAOQW)rix>?qZac`43@~^?2pFSv@Q7AedEWsoygf&1DT*Qq?h{1o~6OP^n^W(fc{7m znhbp!NWO`+RP@GoAR0h|fLrgb3bNdgxUL6LOQQ~&n(IBfu{|vSRiun?RKiphb5k_E-O)_{3?V`TT8g>jel-B#NYl#W!*1_P z<_zGWr3CD5L*3OQWd3cK7Q0{_6Bs1)XT+=L z(<;~b4#NcBa%)J?%-jgAVe|dF)&fPw-e?j_kF1bl&$gPFqK)&Eeg#Uz7kaWcx$%rL zO0MmWA51+PmXt`{Nbh5DI-!V-<~D*7o3`;aDQRY;5QVidVL{&13eZqCz} zJVkQoRSD6I^9@WmE_27{?-nU#A_7`}8si7$9xh3Mo$$YzF3LW4Vi*LP|E|j;uiCgq z6m>jv33;~xuVFimV(7a(@^5rh(2B8V-$+?Qzvga3TNR(+ze#NOz%{ol^z4(6JAn{5 zYeGrda^=u|s1tw&!j_czWJ3ycKHK)8NxBq^XaYTj`%h9I;=pdMQJ2ScED4og6Sz^8 z@?H_RLH(z${_B>GB5>!}EKi92hX5Kq=NwkKO^dlKJnIfayeqqRK7u%mWDA1hE(^~w zMk}3+=R92#>K+YS?x^0oa2a|{HXgx~%*L_{VX*lxz`hMP7~gA8E0>|WoveIh^~MQe zEcdN4lyN4jCz3Ijmnp69-#Nm!IesAYWJW-F*0UY%)1!VL(p2m;aH`)9pDMt)@F3v! z;VP=l-^KdD(7ju}%YqDI!iGXa)U#vFT2?6~;d)(dZ0@?D`E=iS&}!fyf}ardP8d~m zn!)fpHlR4xf7q{|03{8?NLB7G-DI$@F@j6cP+25yq*@e{>5r|(x~cSp-?H}I;2{!V zKWKxL-P^|(a4Yo33nlV)zVPi>j=m3elgQJN18|dnm%f7!GYaky|ArZ3D+ARDdxm%t z)=|*?smErBYTy*shkqyK_>?&FX#gj<=|QJw@)_mj_4QJEJF_u zZ^fy@g2Y~j6Gsh7MCS$QDih1IX`1DQX7sYL6#&W(e3-W2MRZ!F`yrIMwd35N?!h4# zLHfd0t}ZI1={heYYoe|qyCUk;2QL4yhnVLTdtl}$9R1a1H}5@svxMWrb;6bKknYK0 zo`WekV1wbzce=_6JSeG`To^UJc>1%iVl)cUL)1))%gi;2DFRvqx1>~XjFN?UO338A zq-s|*8RDkrxc;$N`lu&@TP;G4%M<3pP+4@nd+MV7nRMp=r428-;H56YMSR~27K(h% z^&B`focDaO`fNz9MKgDTmj_+oAt|NxAS?USb$3&=d4soN-BwWCh*qu|57n(et2wQd zp85&KkzC=GupyAfqiGeO((Ur!CZx!(l%h-u&yrCHWtM7s{UK0DGZ=I&bsk7pC;Q*k zep}HW@z+yw>m&P4vAJrO3TEH4yZdCcdbw2)n5QkG*#QsGS_AagxLf4FuNe2p{(6Tm zTv$s8fAcA%KkP#J`PHeRSay_$JQ`8aXeP`kn$ezj)=&7oI4t#2HV1_yQa`+Z92m#B zgi*|X08Uf!9$}i*`M1iU%{-9VvDg@^3iL)Q2dbMDjn7Wze#Qt*v~5u9Xj-(nqQoOq zLXdcY^Q-!i8|DIk%9&Ck!cG&;^6cIthLN$X#Nv~xJ;7WS#?%-Za}#GJuwburY>OFV z&SraAj@f+PeX*3Ctkv*wSv1bF?q#vq#Qq=$jqym6N1efVPMmDx6RrDFCY?@v3QsXlCdo-=tj4sm@VgFHQwL5&IQ3gCA-m=${*hTBjr^wUzminup=3 zZUy@Vt_SHFDVdM|_kr}}JsXh;MOWAlq6am-8d=^8`u6Xe&{&r%B0LzOr@W~D6#fd# z^}F}zt>xoqzuwYt6w89V!*0s?p=70*ZhmcV5&`IZ`kj7<)GVdrmk-AWml0qt6gXXH zmD|4U=(nryyH5Z2k(5lc!m`sP ztK}L;SvJj8ku%=H!!LlSa;{ZnCYMAQ~<9$Vg8+qI6F7H{oFdj~vvoB8TIEfO` zbe1zs5m1eULmt%l__hXV5=EB`Y!p0tanhpI{YxCnMb<6mpPwuYas34gdx$=l0DM=$9utr!Zum^o|!dN?(V?Z7l6)V@P2u(`jp z-f%QnhY&2%I~q?uDjC|&tz~|IG#el{}p7OzASqKIWF6{2<1>-sZ<{Hut?I*rj`Jd-C?tK`r zK)dGLF6N@ccUe3hXN>6I&0coc)AoFs|Mn)5j6}J^=J!$d#T%HT;l$uE*92;8iCO>C zp(S9!gs>&)e&n8X^B5UuiTxGwnxBTx9n|GhC(+=zJd9r!!_wp%u|g z(H_Wcb~Gxvq^>QvOxZQ66_I@SE?ASau+&LEDaqMT|Fi77$-;uCd+DjYN0_*C!>jRYgpfSzVwD2sI8toDr=o(CUz}4e0^0ukrczq}4c9?mj@| z(cghqncqb^YCM@8sG zW^9&3VXQWbTVQ>P!boFF?CdODeQ^jb+ya-Zj`i*K2I}601I=Hqpf9yOM9Xwx|fa>D(t%+FYU#m((|E(Hji^!8G zFG){u$nv)^tMna`&HjF-1+0s5F}@58%#9LyK>*`i#t*f|ka!G?x9a4N?`QH&bQCnm zvM24^Cvn{_POf-J^XC42fAa4_2w^aKb4LILP;`G_f}woMItxNwdb%b^qiNn>zVw0H z1mlSh2S^mBF4?tLXvu(H2qLeWJiBNdMeMasUeH8dWugF`mAQDTTNwxnWrn&o*2TeE zAnay{kXg}YoYyQuux@OY{1YdcigK)piEKJ~H0_0aJT)+(r5QrUJ(eB2wr2i1*gvjE zY$C^c<(S?DL!%#yauz=hN*ky*etk*zP2jB$+IM~(%x0%?50(C&jR~ap8G^RPbRQB= z1PsGwz6G0g5_lBg#Wc_uZ@0#B;kC)L9|MS4e{^?Qnw|B7>E-wJH)9&e*KmG0D|Dhc z3xoR-DaU=b97TL%fU;c|f&Mt)Us=+*9RkrNPM<8ay+f5n>&-%8gi8}Gvw&N7s80{N z!Ftd)e0h)HoSgjLFnF}lk~>|?WjWy-HAlL!1->^)$RK2{Vz-8;1|G{DbnR|;x_7s9 z0#9>ut3)3Ib#VaKWapvW54+35StlO@A0e-8Ir=fO{#ToqB!_ig9N4)SU_l{U9C+Y| z4b9h-cS4eZRXMUKoIB^W6o-kz!_{n^_&8l+UcJkH)t#lE)IYB!@DUpS9+)Iydi_A zbYU?6DX;b*HZZ8rl~FNIfj;m$r`3f{aKgM#id1OF;jsxz z%qVJw^Cgz3V(xb9A@94pwC(Nl%#nG%d2;iZd6!qsw1lL}yxbxMOiS+!3SP4dnUtaG z*O~jSy()lDedEr&N&O(67Obiayn}S(S`WH;FU$Umxl|3ed*yEz=L0zivnblK`EdIORmFp#$35|zBiJ_ zA+!45S*o7Z`}R`!$9d&nqs?_!mzD4Z;r9#NmJt*7xC zRg{*w3SfWtz4P_9l5@yK3xuhQ8~Fx-XV3m@y`lpUn5GSiR5FEvyh4IyDm1SPJ1I zx)gup%DiGLWp!kQ|LC*0;iKkgQIY#ZNc=b+C9w`Il`K?>|8w`zGxe%2KZTrtiAGe5 zeyk%&MroVYH7Gi!V=;80ACjF9GB9#3^Rphh+HRG<6{tKsuK5kY`%^U@Q2$#+K~+47 zx$+A+yTa$kO*WZ;R-Qiq&(}Ihn4AaULrNrExpolIr05Wh`vLsT+!gvyAEtlk z95nwK;({lohW(**bj(caE@lmvVP`7?FAs-Jc%(jf-I*PRA<_2CLGVSts~lN_<=SJVTj-Bm}lRYt*78CGv36 zWF#+#C_zUG9nVKyW7}AR6RurySr{Fkt%C~l>Z1cUg5PIvi%4j{c${P*U%MfVAErZU zxoxi;1F0?zwD|x{HzDU~O)-oP@LQ_i+&~%gKz*6Nv!dhd#a!Xk3XRIa*#0VIy{@1% z4H_$Ymxf|tW*M^96dKUx*f3Pg$>zBd(%5DC3E@3y4Mxa{)Vo$D&PNI8Dd_~9yk<)F z0pro_e_RP&&zwMWIkJS2!28h)+{ie_SAsVVq~Z{60z%yPks)Z5EEao8WyEV9oeEw? zkT4s8W@;rp;OvNIr(aGfng)3{i804#oWHKPuQ6z|eJL0z!p#)~WNSUSyr&@4s&)VS{Cq~RET<>pNSu=a2YQSf&@Ub0n}EIkPlF8=n@mh@(z@SC z?K`>1%i{7)rR9CmA*45v?Yp!>w1aMbPr9EsnE3slREf{+?rRC)7FRi|oio2&pvB-2 zfSQ#UY{%J9utj-&@k2^k1d&k)J|VW`ZBX}tW%qoAI4}QQlz0|84>OoOUOp-hQ}d{e3EqAQefY%GcRV zv?k&EsP|-(J)W8|mQuJebyBM#0TN_8qaEv&PN9U&-P_^1)90dn|0yGuPt#T`Vq)PC zpdIU3Ia)Rv4L_qA9OSLMTC>D3*mv?4x`ybR3^M|85C2nCd^GR}ALBpY(AUE<7N|h1 zN+wQ55Ts*CFKH42Hlv}=L>YsDQ@62NmX=Or6R48QeH!y!tVN3h=qRIrIK_fouo1Cn zK6*3CA>n?6Q&MpI^3U)FQp8K9c}QvAvuY6(O$PPzs?O8q2^~9SYUBRi)cKrUW`gKB zdIPaYjFCbf8AkX;x?!DYtOi;6qY97rv}?D15Q%xc#aP{KK57=i78WAb)B$6i+Ok`u zkC-$8g)@TkqVmJ(9I>wectR_60}m0z7eR73*FyzcM~im&_7k$hdB-XWor6!)c+w#P zn*K!q2-ipduOovu?AbnHT~9LRJs*^qOwO*a7w{4pzpthJ zEQdAP{{wzNfxkmVbp+eD-vcjRMIZcoRWG!xRsyQv$}0a9+Nt!}-P=UPfEqUBkGxbm zflmkV0C*Z6M+$qf5ol_3c;wu6^+Ju&+E!B7i}pZM#`7kg=p|@a1+s_6DK(eK-aD6$ z^x$*9(8EH^t(?K{CX=!^NQP$25Z5u{BRFy(i5DB5VN za|;TfAb)v{hwfsv^nwHCvEX_mH#(W5nMpvHSiRX)0`vDu15Btx5{1yWNWWD_V104* ztaF|;gd|=~mb!9{m@5uBpu@YQgHU%0z}vR8QGVD3*| zbb?qXh}9Ov4o(`{rCziHG!rdqD-g^<@qq^Nd=x8}Pt%yxEXQI=S%%qVw3J>+&nfzl zM6$zdzf$N{N$m3oQ#)Bt6}^He!?K=@#6lPOVp95rL%~Wv72i=Z<^PmNVMeR${{$?H zsPKykC#;k**G5%a+^m`?9g&@iX>Hl&VY$t%M_Fu97xqEh)SY?IHf3ucv`HIkx@D`9 zApu{p2}oVjDGFQ=A;b4U#;C%@9_+EV{sPV_T}Y50UcZ zaBye0+USH4;Ke?96)qsPmf+ySU><*_1$lQCctu+DP%^HOWN+Xb7@IjRgtU%jZwZj) zSt|AAtu^*KjAy2p&t%0`*;OJKh_TvIG4{^D*U6Q&<;v!%j-z&RWhqQcsYNix#SH0U zPNG>~Zg=6mc}Vx-zLzFpG*6RW79kJf>&S=vl{ZX}Qdz<%T5A3&D#xrT>}|y~gI+I5 zdyDWg%AB)PVy~!;s&)BqKhhdd586}k^yetd(}d*j1df1;F5+C@?LXW3Z?8Bk=sO~1 ztSd*s(@7Lgo;m+$MGFo}&wRDZbKR9@A1ASKc)YPx%)#-{vf<%TEjEnSwqe8c{R6RK zXJEOC0)woM)mUmZ^i(cL?qwFZjk5K8sOL9kGZA5-_Qedt$kQNk>tulWWw9xim~u@dWr4F}4L9 z3opEy1GS9TQcBfihRDt&kPWFofw5Vc8LBVOLp*>X^g7JA%KO+=L(wul7)gb#NkjcL zgaG2JI6x%@=Go?K%3~)pjyhJ}vGUrie0bc@kmpW@|sdC>xeTL=W_+WFuoO9K_sEK<)t!*P7()X>!L%1kW_O%#O#`%_f ztcy8`Ekr=BDCe~!@kqEPu2OBtg#t`ynR7KxBBD_s*3E`I*WFaKM%<4I7lnQNi*g{=d4viz`ym5dh{`GNf}CQ>_oBzMbjINZd@ z_gxu<;eNfyceLg)a@vaqT%0~`&Bar#lUK5?&?+IB4)%~Jb61~Nn}m!|Y!Pg3kp~x% zHPN(+mG@cSmnsUlv-1V30&a@IaiCPg!BGK{`1r&bSc)*l4ghU98Wz4ea7LLy;mPRO zeKR;HK5@{;gTvyJWB25^WAYu7ug&CN91a^Xc_LB5{ggyW0wl$bHk$ z#%P;tV-L{Uk7us6r|Gk88f+%z&;|sZtmj*)3Q~aR*1|H?1ysCVe7dwA*4ja)M<1MR z$m#4kG16I>8Gnr%&JE*x-*H>x+z0chas9u0m?M9R1S*R!VnPvF=n(sYd4vUx7k7(ZMI6cI0h!aZE@|}0)4NV% z_3D}|N8uyaobqCR!yBsvl|BXfV9KoQ=`*&9VWv-?bq1qOmaHvHHjn%{s9`Y59|q*S z>e6@Bw(g&-iW8Pn`=q&8OS6o3Ua{iUsOKBE#=}0Zc;|iu^hc_}H5xuBTOMx7mWS=x zvK2`MErq+jlZ@@%lu)%+n*sjVN_kGA7ZcLkH;MK){F~VqCV72|=1ImO< zR%0PaT6;8KNyeT5c;KD{`hCNaI;ZIMeEJLW>0uo{eHX5yIow6K z-o{9e)y)viZ_36uc!vJ2As(w2r-J2v(ig+^RfLmf(_WRBYmz<=cOC3+ta3d#c2%wq z2DP{=THA)Z()X>os{+%=$sn4385Lm5U*N}#2onQ8gS|LR8Q5>+lQu3HBX_P1OX2bG zj1ydzT(LPfZ(c(aahUL{d#G(ADyWqVSF^3y=)! z2LLZ`Qn$qa7F?w_IJF`xxK2}Jw)zwm+O_h5y8Rr^s@;uQlw2-3QxK6d69eZXlFgk9 zXfd_YRRVM3YS9na{%f(4!nJOwrQzXPBMq)ZC*pJ>PJIz)*tGKZex1tSx-HKaH@~hJ zy0xYW0&$>p71K|o*S`2Vf`z?P;)%bBvL0s@+6!h%HTlsVJZ6pc*f{w$`NGcBY4H5h zE-j`p96*x5M$=n+oG%m$S%>M-nci1-hM7|1#j%)%jZ4OPVM*;&@@|vJpbudqB@K);n)|Nk0vF^KH;J!L$(l4S+KElMQ#DkF?($UkUg(L z=%)lI7GYi`knD-035Ea?1%AXJMVyQ0#KpykkLjC{o2qM&V{k7dTHBO>z%@WVx;L|u z6mNwk+6fu@gsv?FChv4JbkH@)F-$|K_uTKBqo_mKA{yuo{)Z#8I31p7>a8y&R*$1& z*B!fVz^(@e%|cCy8r{#X3kbhBo;4UXkgCK}mvNh%iXya%l$8}nj}ard5TtiQ!wed* z+*azJ-z)$I`(#d=y5}uC#ou>FoD?T17kI0A)|;PFicN!enIMt&mtP5u%;^?#yG5bG ze#?B^Bsx_ya{KNhN>X{rMpMnX%$R){3fuUk0&-dogZIBaNxfABrtZ&AB$Gq|dvlY!I zEQhecdVT?c^LV4cd1OOe2mAH>SZHlKf%Evw2%Nqi&|c#FXb@Ro)S5+~orHK5%@zvK zCYz^LeI{`6waE)WSqu$^xij~&5+f1%OxxFWyXe;JvkI}>In4Fq)APu zQjUeerFonVLm!Yds36QzVKduW#c0q!bjoQs*2F8`bP_H(r2v)dvN^K=;s6{-1Ftq< zv9+u*{9>UuW9%-An`UMG1rf>pl6~P>Nz^BKS`zW;!;3f(Ax=htyjJuETU+GcF~4n% z`&yVnE1d+}NwBpgSk{jlNwCKaC0JLZ;y&r_yG>Oq3Z(C=7x%b>AXf=eW=d5o+^tQ` z`W=fK;-`RrF0Dkvh1gb*O&Ae;M!_wW3HpLFzaTu@gS$IMGmxWw^o)e#5lZ7qJ3G zn?gH~609&@qZ-`1t*gNy`$|S$p1D}f>^0-`bOi}8mO3%=SzK&Q_qtlm!$iY*d2KUE za&&G!IJ_h@mtXZ7m`ETm2ji)0@j{M?kuxR7Oo3&g4rGGEQC>0}I>GDd2Osk?)wYX| z8I?CtWf+7aqk}n-2+(~Q2upXv{lUOTq<`SI;DQ}<_u$zg`GS$xT`Do^18TWD>Zj#rBC+k zN}3zRM24ZYvO-{-?owf;?0&^)NrnZi68X3KV~CKCXKW=;Goed-<7tMabEx~+=c6Hm zvggi{JJpeF&Fr$}9JHa3hfu5`j-}*L)0*c%(OdFp=+tJe!p;R9lxfV_0ZMW)CgL`r z2Tb#s#nh$*QkzNC(m=oXYeza3w(mn2*e{gn2{vnadN zDwj)!s~`y~#>xQSd6ulsm@a#xmp1)x{3gu4qIP`9UQ!9q{EVoe!mWTXI!Yr+>PTvRaEEp<2+wQ zcl${66|ZB#9!u4y+D1?4Kfa6=JfeuzNm!K<)!aOnm#(-D0VwKgN*`}?01*1mCa65+EG2D*f z{+=1`!@Gfoo5POxUB1<@9vmK8+sX|zY#(;4$EM`CnWdLRI$C&ael9d)4vB;Mk%9mV zTc~r*Ut}n$Fbp{f6(DtcT0ecpff1`^I_ER%T>?PWnWSY99t|_$cxE9spCZ$}7>#5M zB;tgZa)w-egb;3weAy3*^8>fGBL`zn(qyr^n8o9&G4oYP%2>g{QzmW|A3XDK1rrQO z_h!J7C90&)_Rymb;M-FwhG1h|%JQJ+5%oVYtS>4RaG%hH>a7;U4zo0zkYuIh(Qjg+ z3-meac2=x5(U`2X^?W9BlRoDUl9vlHFLbfl$YO$LgdC$Vt+?cf-(03DdM;+M^BEQU zGTt*@U_d&l+>j^+Ln!q}W688Dep@^y=9ub=y@~Qq%XAUEH+X4Je}40xxHH=1(iG8> zos$)HD8{Z}g>oJNM8e6XP05#r{u1R!{isj;#cIiKt(yZw;pMMxK2{Q|j#LNvml zB#Y*&n9rV+pJoAFZXszcAe$n_lw>}D&oxGk+n|I0(?aJNnB+C}A3v5B96_z-#Q;N#SDj-9+AH~$TyF-oo!D~03wY4hFoM|6B zRJGhBEHOEea}8Vu6-ehC%`CF8s?U(qu0v5CjT%fh{SB`;_r?mBjsxf3iQ^)ks(6

76AJZxEDqn>MpiE8Kt33D$0`h>LR zpWZz`Jv)2Hqd$A)lI;_Yg`%+|(kYsg_J>!V7u923?Io$G64tcj6h2($q_~;$bmC&a zG?3jtHZca-iDaEfR#zk&9yiS4BdRMR*+(Z~Nv$es#LEM-nLsoI)M4?^rb95Pe6=v> zT(e-JN2D?TXR>7qBjC0$IfsGpf>Sue_zwY%2j%V@bAAjt==D%w31#aS%Aw;6o{Y?B za?wwsoBrkBHaxuin@wzI6E(1V;R~M#gVvE_5b_Bq)^c64?qxxyq!L$?QcG zC8B9YAb)-(=Hfi9l~Jr2BK+oGE7Ok0Rusd~f{`1IfyeHOQhrYuyAGcG@~=jVFN4J&<3A>UT>bI#kNF?xe>~gy@!bz+{4@W!^PCGi2fXY%&(j6|t$(cY z%>6-~yFXNPqrcIbb+_sZTE&nl<*@FMB(=s{5&kG2y@QC4l- zFkva^IxWQ2_g4Cn@M|XJ(6-LeC);$gO>Nnx1!CgS{pO}SBjet~Ir<}AjUUs?#_@6f z$H8s$>ZQNis0=)B36JQnNmZH{9)lFk%#y*PQrv~Oh=53MJrV@sW+b4|v5oc}4qnt^ zO@ks5&=ql{28?O21r87-=y7(tSOTbiL5jTtx6OUeG1$<#2S+Tihx|+>y*GFUaMg2#xqP%j8>>Ox_95Dt%KYHYv z^pZ5|IZaGyTOi5p{*G-L({+rp$n366;>C(JyL-o}44xOntY~4#0d4#;od>_J=zOaY zNLI&acc>pqw|i->v(QxPiZ`DvV3EK>W|4zM@h6m`Mj6L~jMEA4yVfy5ni!u3e$6Vb zdXOYq!AL|*0F8%^E3IBZVur&qgY;XTxUJJBBT-BL2VyIeNyc_L5F+@1_X>k``0?Jw zdbL0o z^VOW1$*;_Yr}(+X42Zgph>Bgs&rN^Adn=OlDIR@l?eIfn2;rN zW5D59V!t7c02p2TAkHw8r$wI~e!2~D<}ZbKU_e1Y3}ls6uJl<;m?QeY5ma47 z>C>%yGa;1)PYkj5A36**GVT7-?;q|uiBqa*!N$}-?9=~!=m)`A4OI9}{&%8YK{=7e zgnw&la2bn>`XkCNJ(&u>@F)W6Xn!MgKpWf1{&vs-^nGg)Rl`*sCd}9Y-Kf2SFMxq* zY$1(Sw4AN5l{^4kP^r64WJ7zgNrp1gy}*X{@?iSGf0Cq;qBI*LJl+~|pp!YL|2^kX zPiNufUJ-M`SsA70wNa^T!{5W)LcLvqHQOJ=n}@R%+=RDu&KMS2#SzJ|2dmr*E`diB z0RNJRQk1dnW&tGHJs<*sUPX`&!%XHc$VB+3Y>5k$>ZE~A8mKJ|G`HRC*U4(!1`4`- zFSp{H&DfM@OQ|Apac+o)=)z@s=i~8|XVDlZy4--vdMQ8gk)u1L=ym(h!C({n9k^=J zgM(2m_KViGun(aSM@#059bqXOOSg<>N#x{Z71CPOzc4H}_i^ABrlJ@kpjk$b=O!jK zN?2Rg6UQ5AvXvynSTb##UCC^4-siJs`!j->HYm|m(XEO7BZW9lxXea437*FNsK1Ad z0+duGYVb_P66Ue;yskE3r5A5`BOZmDk# z+v{77@ow~0OC%!GKS{i>Ag6|?nv4tvMGf1avC)3}9mJa3A=c4KFZ9^uU@WpYW$S6t zU%t0i*4I=B@_IrkVK(MSNTD1!yy)n?nXWFI7->v2pLQ2bya9Fmq2mwr`9ov%Xjn%* zy34iw+MWN#o^9{jpey?azqYp`6*|_qv|heFF-eU%5e}_sX=6&x?n%VpRl9ii(Q5yV zHs_+Y;&a>OqK>x6MXkf<5RCsnhePNVa4yS=Hsxe!fNjM=I-9U*jVrZe3>ga7U+%Tf zDh#s!`hn*U)v7c)AHIy%SD@q6&|C4S&NzXT+Jdig%=Ca=#pR;6#O6Y74(H!yM03z! z63sdvU&pq-DBG%$0C*?cqMP--y*Z5;SK;f9busHItVsp)`aB#?i))6MtkOP|_|#*u zrs2uS<_xwYm%&yKCIPLrx4F^RZ5Y#sH-Guw+Sld|8vy=e6l1P3%+H-G;|0US#c0Hm`B}Q8clkPd*3@$5Y%m zmCZo?P-74qFJ^ImwMPd%6Fe-%S11Lu(e8lv@hfcWhPaH#6QL|H8Q>ox4IsKTGvrGF z5s7))sA4lg^?R8;(2z5ee(tecuMm1gG_Zz8YpoQx;<&N`uER3QIw+Zr{nclGL`)i1 zZaUt-Uz3zjK8~Ow%FciFk^kA}pYCUST;<}%0ewjQz{{Yw2yVil_en@nUUdbEyl)~hUIC+|xG1}UDf?+f zTaBQnpGgW`L$uEB%QRD`KX^O)EWkymOks~Q(#J~*~t z(-pvgrzGrPJo?cOZ~w9j5dPrwO|Fu@WW)-=6QAhBWFv4KJWOaV;!Op7JrNwDx?MzV z^ZitDhk-K8X3D&C@or5d@4#b)lIe>FFiP}hHnaL|u&YP*H$9fWnWM+Cuo{SKRsF|3 z>l$aI)^8gDIfuF^%&$1WyJCxYuVr5*5mA7Njn(d>-`} zh)bjf-h|Wl*9R7-ahZjXoLUHaZ?Qw@S^EjRe(>`oOBXq-6Oqa~Hg8Ijc}!rp8s2SS zl%yXhY7f(uaTH&>C^W`%oodd~t(0!}-eEJp*XD&*`?8XiCxQaw7Qww!3AAHiE!+rQ zot#s{=rjU72Qo6=i(sHga|J9mE%4FBHq1eY&G(&<)(L6#g|x=z{?W<(LK^iVWx zzx}NT)u(qAX4D0!`?z*6FP-OpytqE#Px^Gi``O}LNy^J$Sb9E*rXf-H(mUGGoqi5sr z(0VowYI-)PwQYDkeczhbofJD;QcHW^=KX#%u(BXBD`$ddU4BONmqiSXkVy#F+@ zlAJUI8-6YTe7H%-_$!!XtR2RfT-ZfUBby;A*qB{xqhS)xZu6Mr!#7%5o2@f^p|Xs< z5?pE=CuxaJ!b}<#vz3D5hi0K5yqe5*wtR7#o6vZc0=iIjNBCu9 zykk5v-d0RGf4kg(%3*V$`oRlXY?eK{`rcR~?XZy7K*_Oa)H^%x3Q*80X^p`!p(T=d zv`AxYF-uvPua)eiII4x}R=Z#EaLObYYuTB=F2n>J%_58;HgKs+4#uFRvYkHbZ>Siz zf9U*`2M3*4)`?|x#j@dxlVKyVjHtQIv`&_biEwd8oCB%zF8H0Zh3(ynh(>r~SP1@O^-HkZf zgXKLeo3RF5+%}FF!5H*&kwcL7LQDTZdm$Z8p4(NHsYs*|e=@(|HZjmb|l zoyB>3dvAj$zx?m~+o!U2zk!VW#xlk@%$MU?Orv?GnUju;y@te;&AojV2?Sp={7k8Z z;3>i}E%^B}Rvm2N`br^J1s^pzo8GIglon0#(u7d7149PupF1@(U3P zlb^bQKz+4!Xi7TTFM=E;U56?vb84_hR0j=q<&)jVSd0f(WJjZoX|b)0)`P7SS^B=U zB5O6M4bkIP2ziCw|1e&BzfB0a;5$UdhW+97`(U}^5N+A8>u|PW6>hpp#wG?20iL?6 z(2af z+{tnz6VrMo@dL&8Z8Jf7lbBab$hXYtNiNU&!5d9><}E-a6FX}-Spj{b@pv(s4-aTTVwg$YL$XE^Dy{%K18mcBeou~Hx$*KroxP{LiY~a%R zv@6%Ug7e?8FUF%<`O3O?wJa4pl5dri%?DLUx2$_MYG3zE7LPWao${ybn4`5+`VjmS zabY^Iyy)rcpWZ*CtrU*fD(#C}unh#J^c^#Nle26>j%Z88!>8d$64hj!ulzl~YQh^i z0MGZBP9j@ykpuCF-`Nh0k=6GhS};*rBjV}OK69SEfK*%r#@}+NLdYTx*QkJ(P{j!w zb(SvDS$cWfvC@u})@G$G)ZpVsV5QaZQ6L-VmJks69&8Ajsd%yDzqR-;lS(GfZuv|& zk;GtBvElk5QpKIA87H;Xz8n5t>bXYP)ZlSg`(ShZsKNe;1z{Z4W9@@2>qiZ?s2`;o zKbBjf&yC}*1lw&vi^s!pFFKkx=_UivTH<8%s}t$e(vzV#j}ncmM~LE;-5J{mH73C59- zh$YF^M&Gm*pn@OM%S$!B=aC(!95gL2WUCR0U0q6@cZkFtduYNQn(L}BzM8H|MB-ep zZhl94$J%S1o?447>Y7<%BXMge0K1KL>hDHP-L&;S8@;s9XAQ0Nkqpkm7n>0@UFpct zsAe+Hi)~6r($}q-bv)M^@4;VA&prg-pT0lqU5B$+lI1-to?BMn3g_-SEI8+dFl@>s zzKl^S9xRaql~5ze(?^RHDy6`b=2W;6m8)bt3yIG$-j8nx7JRSRgg#7!IH zixK~Ce>}b1+4(UY8}aCZ3;lU4op{(KACSCI!c*uh#3y=b^*NA+|FB?kelEYEh|kME z;D6c2#&_PlF`iGj^*_imOw11=vh7aeMgDTQYpyeF+AaVGLB;`F4@2DS{EH1HkYN~! z>rKkce4H+BpD#jsQ=*@s-s`HEwc=4KA`BA#fOgE~Y=Y^Eqhzya7KKnUgYQv7jaB`a zHb2aC(dkDbS(vxK7V)x=91Gqg{zgcoVSd^T77dA~5#v>UB_R*Y+P8d|F}^!vA&(AR z@SMmj%ka;Is6WR{&-H_fKmZZEcKx?1;PM_v!aCU)=QkKRQ|+K;oZrcIwK(Ye_A-`M zQ09VP9KlvJV@9mg=T>C<(s&AkNLf7JyRvWP()Xe3_vFvk8#PqA0i* zY0uy(hQaW#M~$pZYBkLwPTLfO`V*>jA(~D@4U^TJNG|9Ku!m^K#bJo~AElL9fJrpp z;ct=22{uuY*Krs~SwmCs>vBcEvu!S=HnJPk^Z1mcHwlQPoW*;ypQ-^YA=VLO%5L{t098IQB+??D7mL9kW&uKijU$FqAt?sJXdQ3m3 z2u>5iNFC%x(~A?$I>dVmvbz9?G z^fSs@mUS!)%CuQs)zQA1vn0v;liy$1(UL_zI)-S<$>@O-2!YhUmDEbn`UjUa2FDwn zFC)(_jHLV;vIbh)M%JM3Tgw{a^bcK)W4+%+(7(L9f4*H8dX zY51_{;OvTPMIAaI+I*r7LJW@+?N!Xf9Y@oR$RDLK-UPI@2T4Uy>*)`=U$y{% zm)Pf4A`j$#Ns-IS(2Ra?hU|vWj|jPh9hw6qA^YS`;^G*Ls$KP_d_z|hmp4&)!6NkQ zo)Kjy{RxgTriQsiguz-_3(w5@zW^R8z@1D=rn0Sqg=1`4odDDcK(z&+;lZF;ssqv1 z`vstf0vTTAnRr@2O(xL{fT^E>m#TjkU%CWu^4~H)Z0+>wFogd(Foa9o=1vshr+Nl| zGpFp?ZiVdmpr@F`$|#1m9_;F;QuWTfv1^@qvzSf)TG)cK4w(<+ibBZ6X_f$TqkZ4~ zTxpQ{r@|2)9B;%C9v!-f$CG;QNVL}89Z6re7GIqciZe>BOKBW0t~CF|__MHsz^%K) zAaNjY>X(r*8ENU-R`RaK))xI>t}o|agjvb+Q7SK^Cw+=-254^$B-90Y%!)kA=bI^vp7R~Br;!k*^0q$UIQqv-y&In)yvTjPrr zx34Y}-I7nytw*f!fV=Pqbi*JZbK-sAe`fq;pSCGY9F4PR$;}$w+q%z%yZ$;%Do zWfab9Brn&&d%m+Ov5@Y@SRVRa5Jvgv@Thk=p8pT@N&WQc`#t)3IC@d_Gu|FAGk)V_ zWdBJo(?6Ta(xnjMe+V!TUD>JtuJIRI^kQKMAFRRjsP?~7fe40K3-Z+k9}*NoOQ%lQ zl}GnLt#Q@3N(9iy(zsGA3K5036<)QfQ5pFH<`Ece^8 z=u>vah&v~oS(gvraQJ-qA1@CE{C{7M8Lo{>-R-ex4Zc4P6H+f+#fq%sVqyNqQorW% zT4WJ_xBeFCRiEjNd%nk0{M~4oJxIxovj%fpaH`DG80#XX%LZa{jW*wHNHL$sxpM(B z=cL0+Y*dXxt-&iAa|9IaeQ`X~;Xl)z*NZ+^Sk9r8y60iioq^`WF(Dj)(9 zN}O>E-e-&$S=95opoe?fJ9w3{DLN#kyg&wP8v}eS!~Bx~ct}Fk60WC7>X7vf^OF$< zJ3EzrLTfRWt6fM{)(JvhFj_dBeD@9~EyrFV1vJ5owm7S3V_2|%JdXD^J$cb_=8iMh z<;mnFYn&JIy?K%H@id{E;(*L9mk=y z(;JVuxc80e-o)#%rRoudgWQu2oZS_=B(Xj_Dhu5)6BtAKhL`GQ6Y+FXL@&Mqi{+*! zg@rAz^0&Xq2iI?dCr^L**WZ5m=GhZ=%-nnmdf$IXKmK79{L4%DF#^`p`F{fa@n3eI z1^<_L0-er34F8{r9l8o9>5X7(CpO@zq{>cXK*y{03ywY`@u2vMux#@VmR043iBh0w z@+cbc@WsYh-xeA$THA`lzi1!p`z1AC>>B+LCrF!XJM`}JXW zn`$Y--@iKj@%+u(A7A}7ICw-}=CLxvxg>rrU#6L1zw9s7%s)0?s_G{P)z^OAER>u0 ztFWg0`g3-%r|#E^xKoVxfU9ZH@EQl9J~(q39Bssg9PZmx-NDgGE#`vOwqY*xeQV~D znQ{bX%zAYvOHKcIv z6S`BE=k{WE5Eu7PR#{;+O)@JPbCh)!ZN^5f+<*!Oc*jN=Zdm!s?*D*Cpu~(bDZGb=j5jGwQbnnV1IktVu4Z2NGzju1xCL`ND_lw z-Lu+)Nq!XO8=4V#c786XvrH|UC`?6(0~r%MH06#VHrK|y~ln`m(YfLJmZj=}H9o+k{UMdw@+eTiX@3)W_ z803)2Td}ll(Wz|`v|9)QuLQ`5c5a@MN}96xu`w6RDA9g85%WP!%4g!D{Fcc_%*6q)c&C5){vE)Xf28f1;SjrQd~EJy`2CW0{Y)(U`nZrw{ZV7&4;X5i7FUV(vnZcwz=K1G1tE`=3q;u>!7{T6(@AWfN4WNq7u%O&4N?-+*NH5 ztQLCK%0200I7s*xu@RUUW~pj(v{TnBsbfBq`#Y8bZQ+bdv?cbhNi>V(%w+;v!433- zchhOl44C&F=T`z%nTy3$SP~jx%|Su9+&oJR5#D*^bc|sG=(tzMy}lgxIvBR8cgCc4 zIe{UoczL&C4IG=#;KW>o1-Bs1t&L1c0+WF~IPtHz92Ixl1FT>u!T3M|jI!CS6MMag zd`?}k)hzl=nWLX0VaOE+DDWbvVKQ6HgWj*9fsT6ei@w==Qo(Y}vlso*XgKN*dc*$W z>Y)Gm#nJhZM2~v?ByCYKp)7YRe(x8^cfyUf8?HmemLjjz%OR=I?k zd?-LXW7w*-N?HrXBs79q2DBdAVzJLDaRH(sBv`saX>&Tlu{z#dRS-Iu>{4UsEtvhL z##-5hvvjOPPUV+mC8IjwEDsO|YU^ReM}(Z%Yrm$MNu zZ(Wc3Lv>3cPb~!`nT?YnZEtRTnFxrPvHOhc&BS@WGReKyT29m%FO1Yi`WZZ6exX`F zb5Q4*aS0o(uz|*9Tn5oOybj|TuK`@H%i9x8*)ZeQd=uc*S<|CdB|(QPDT?80Z%C!I zh(Qnk);o&NHfqkXDoPjJ8Bb8?{GBGbs$sG`3tkU8VxH zNqW(Ax{HV@|9BiNmaW1$S!P;qJj@iQAHk(4h@ELCNNGWM;xVJ7(1}t1rl`Ml~?nwpJ>u3vLSuId?_uUj~B> z#h5E!?bOd&ESU*ViCpInXGUps#r$g*;V$n^%|hH;@4r!5*ZQwflzZ?v3hHpPg1Ya@ zI1TqlwZw#BQ9-3GZy+NKx6n=zCCPAbTIwM}{pvMW8Wxs4fQ8p`Q()5n$!teFhpa;_ z&u%^2$e8|xjD^bH)L?ttLaKOW{hU02IdOD|6UbDQF>0xy8K*gdn9&srp;1DrNP;~6 znU(C|}_DjXO?gkrocg=ELe~S=2WL~%NLd6O19&%wHO;oGQB|$5d zL#}R6I)5xFVzgO`aHygC2Q{UL(Kb@VsI?T~GyB997d(5#ca&L`uwj)pCe;GKbvh$< z0ERgRWdHHuHzv)J4k1`jn%$B*{W+em=64G$EkuaZX<%}ofJ>VrnPXo1L{r>G!k0p8fdlhkqEZ9?qhS$t=?t`T$07 z>K-#^n>%N*6%#t$vOKwi8<*AhMyp$_tpd9UQ%5ecBErR2sA)17ZVa^=>>s-<%6gzf zXl)ydJ$>Jrk6KB@oCLOPU5Yn1|I~u38EAF{qhCOql`};e=JIyICLt zsRxp2VWm<@oji_4IT~&(VA95YJ>0H<$!OTVfQe&<)ybEpc!;7T&eKUGwRh1FF}5q@ zJBs4~dZTGhOtf6upanmrjh8rkNxGEcBo@C`oyvIDQ=o}))#xk6q6(s-R2U5r%pXBh za`|<209Kp0QFJ`6<8k$QTw_1-aQ}WDcW0L78Q;&J=z2D1ao)GBIh>0~`iDr#^p>Q8 zvk5Vry9EQMD(pa9jOTqk#IK4 z-y{L2*c)ssqA=ft!iH}Wx!d1-{O+3{)C~uI{4EiIJ`sfqCgJn!a}bR4Ngkf-`)eIx z5eq%p#j9v28b4f9lhNVf@Z@0{%i4{~RK42OZ>1($U@BV)D=mBn;}(9rWG=Y&$eK)9 zbMQxkvS$Mt%Hwe3!DbMI!SSKBnI6KH4uc7*ObXQbJWkk2Xz}}I z@iYQ5YzyxCmOF?!mSSxg_Ytxv>L-T=fpCZ%;`=6XpmAE_WCcU0c8(rn2U>5j;tN2(YWp=4updt( zo;fG!VTq#~6NQC;7Sk`z$p_tgqG)*l4ZaLBHV7Bz+({RmbWvZr7@jmMi8(l^0c1C8 zQk*N;*+F&6^Pf)ta{lJkU(dc4LVP`n=Nn54!>*{v#b7=DJ7smTIr961bFR^-Uj4?J zdgN$3jCC$$(vov6TIJ_-i8)5{tMrVG?C$g73sI6?^<+6JwA&098P$zdL92S5DpL-vyrJ zesE+Z_rai(zdHG=uKYDTJ~(J3e-UAB<8AnE4Y)C+P9IUe@DUW5F~lBxBHwL;_o%m* z)h?Evlze?xiLr=jRN*V)_uimCJnD~n`(` zq7{DQGlsAHew(b=2d|hCJWk1!GX(zff*}N=R6<6hi@~u4;B(W!SGh5G^IMmfut3u? zNIf(Y!i;-DGl|FE5Q1=y`e}18WZVkbw+;ug<4pBAQ;U)-HS%Zg4z(&!jONi+h0lXm zA3yy0{m-ZW(NyjKhm5)^EKOD56~8cDUpv^;ix1agu<$ZxvF@7B9!Fyy4K`}bt;)0% zH0H)-TH5Q&j+0hL3IjikmCq6*VJ<~#3<`7Jy26;v8SS5DVe-i<&K)vWw5r-P&T^bt z8aJy=!b6Ff^2UjMoOLVGEiYKJv^w2e;&nkR&2TvwXtAj8d4(w8;G)nmhYHh+@6Pr( zpv%HH%j{XvTxmgZaKyOFDD4rXp_hAmXY<<*WsZ zI@4yb(qWtk9})s0w$Eju2Mz{?F<-2uu~w4+r^3@&ntoa>N{}K+Y9=5h>HKEE5iOf$ z*Oer&l;3gXS+!|1ZaRzU>^hQ^E;egO9F#`__;{5~)jHcBQWVN7bO#_P@p)*lRM9`o z(~LsSCW5z{y84vx6`b7`=Z!aUsxKJl3g%N?$z_c zy{hsn?|!djfsXlZK!eC`tC+0!*2|rppOraQ-C&z%fQS-hTa6g5wAVB375v3?4~qq; zFX;v(dxG4yKn>j<-Ce}*f;sx+z>qkYGox_g5x#`>FJ{lySMn!Uu>g#$0KBZr;UO4~MlFIa=F>kq-cc){>Fi zXm5*M7N8VfaQY?>o_?hNeb$1Vf3T&Z0aUmG=@wotE=plcr64J_#O@UgrQu9tiH%oq zmBhcU;DKa{BfJ=m7MohSK<9;_)8KnBxjHW?+g51-5;}(~L?*`_h*8J;n()5kqh{Vc zx~TW_KGtD~Z@jj4BhDgX(}-RtA%LLKX;A0 z<2@bksm*&vN5f|RJ0cVJ^B#nd@c+~d~8y|ZR$TxP3icTeh+!K3zQ_y)tli;dx@qZ7-rMlb5IENX2l zmNj_Mnq?Kq=`5wg6edZQI@%Bt=Cv*X<=QChWB8%WDWIGGUBhC$VuAU#z@YQ zt)Ma()PrqBYg;kQllHK!7GvMveOSK4Wt518?H_@QnH0&q<7M};s*aa!%gc}!(u|j# z)WBoihL`b0e?$&eF!zOZ2@S5Mf@2l|!uj*2Y=%Gb5&-dM1zTy%Pdv9>VF;#8lg%); zM%qO;gAsi->I`J)fjs125@-UX0UI}KKRBhMdmT?!)@f$5 z4nsj4x1MDlUNkW|5c6<+#V1db4}HXPtqhMxvq(F`N@JY83l>64ajTaRGA%oJ^NyW1 zVyBJcNQQM(!@I&aPx)xW+x_pj^?wFhNaOI$szy36STVv@txXjofY2DwEGEBKZVh2z zt=^`R%J^u8)X`vL`hx6fP$Sf%5wP3N&g-AwzWVU?{Lk-xdJFRSb@;&=y`X!jfHnovQ6Ln) zp6AV?0_1H?!z)eN>3ZISO@>6_3Jq1ihi4hX&EX;~SjKR>a1r{xJh#hOhx93RU*wT&4n51(mu&eE7Xl@WGn*F z$xU#xa%-k!>t;X_EU%X4?{&c=9XI1!@g=$0utxC6oywLR@mGa=(pcH5YNX4RV_mCi zX)3tsWuAwNI9y*rXj;{KRN|?RmMb@UP_8-Jl538>9M{D8<04T%LJsWx8{T7nWw#z(UJ=QDUC^kAyZlI(SeR z@`Ej5$Pe1XkPD}HzML-tb_z$cHdtfmh9sBhb2Q%7Ce>mv4p&8W4EuyF!@EHCz98n4 z-KsZGSfGAtbJ9%iIX8?6fUPjLoi>?B$xS4C^Wz1yPlTa(ZSN^ozOAw-OpaCrshz=F z9uB@1W2TnrGM+rIx7?_WI<0iENVDZCff_E}_yt^$#HXW)T3$hMmKa?L0M*5n#kP`U ze`iNma}r(GT}(FiF0zPWVqx_~oKO~Au-BWNuf%|)iBLiP=);#NjrnqTe0;noDq#rWVoxZ{ z9#h;s;bMC^U744MgKxgsOS1DAkMftpc@f({DS&Z~`S{s@#}@4Aua_VyT)p5(;C1EI z6ISp04Rnp31ov#pnyB`0iwg-)rHDOcfO|qe4HGavOwDh76k%_0usKxu_=T&Mc2rB) zLu=azdmI+oQrI)q(p)LC;bG6o0Iqsalw2;aTFQZ3AuN(BQ7APQ&|%fzT`2P+rH>J} zMMwBTtHNkXDw{Nx93{1km@TT+#BZ71V_vP&ogD*1r8bYxw9K3gMu(E8wI|1APArx2 zYsJbhmz8)_f)Hs2Fn3)fIP7sQ{NETbXoMzin$KuOoOC~UUtCgj4QRk=h%3oz5>7%m zlNsAGasb_hSthch<}LvJHv=?nykrt1P_`MI7H+tG08F51uE=9|H|HY1lBO=m=Nd1&9AEv z6KW9ZO;?XDZ19rk^0tN?D6-4y^G_y zJKEd5o2Se`YJ_^*Z`4Xx2=%tB#{hBN8qtIZ#UJmeJOZ36P7U+XUPFSq7 zQpW9K1`xB?9C-;#K;`1J2UXs8rn z?vWgwD!5^xAaLeQ06m)9=YJ@cg{woX*&M1|U-!ti9jnW#_;4RIS$VKzoNv?X!S z-eaP1__9J>`s<4eI_$>sfPgvM8TywBRxMnzu)PLsHB`sp=gE=OOcR-|ntUM5T{Iq{9B!g3i^`Vy- z*UWnC*jc~GVq91nYmV^EnewEN!6jp`X&rsc9N7S@U@$Dwq-KZ?pdm-Bi4i6G!GFff zD>}V$caF#0;`dp%i3{0MzR6-1U%z`4v z!e#*DjhK=~pT{I3@bD_j#_k_jB=F(>VJ8`Ml0kjR07_L8$)HXUDW7ZkUsF)Q3nMKF z1MJDRUTp9wi{dyW@F9DRg_KgX+*f}1(8L#_h#{lStvnq)W?O>Z$BA$o zNZCfj@L{=Cw8%N9*?;gf>RX z#o+M79ifxG!V?$sGkVd99i7-wU+g#SlPsQZh4xn61!CkQ(S^p zY_Tqoi4M#XF0-~s3rein{fAzd92NT)2rUOrdwbw zP{s2bOwvd!MU3Un*~Puoyk9a^*va%c`ojsXhF zq+}urC6JPA1O4%xZ)Rt?6h(=m+_*?}Ni2%HS}u2HzIks=EUK8%Se}q#z_n1Zg2RV1 zsqCNR#er3~x-oRWm$zT339P!Ej38vv_6rQub@ zgqL0vGpCCAwZtfaL2!gKHj0-}WICq{PT^p85?wDKKw?-?ib5I~yNn~_N8wZJ_(%#! z%Ay^q6JtD6^b<_HtidMJxllcc@-z|5r-cnsD2lCB;96ogf*A@z97a*Ml^CjaV7rxP z?ARK0Pdx_QOc3rULcg56>@*P*^r&fuu(~k|iAipUECAqel4oEV3fBN5p~L9SJyj5I zkOR41r|&|%LGFI-A>J+jrZ>m~xrUv>n45k++wBP!o?u~JSlH|J5A#!XwX^nzlI(^! zmZHGi)T}JH1?h+zxFGl7H79t29SGG*RkY})#NZ*Y_uIhu&a2P};*X!+y}jZ~;v_3u z!)SCXAT5v>LUsucHu{wq+l@aMWa1)8=g|}X3h0>O>ZnUQq8EM`tr7@r`uHV! z9_7r30PHS^Hk${sE>zYkKJAZQI~&IdJpP zBqCILuRXT>x4*yl!Pn47&Ll9*1%FR^{ih}C~< z$Zfit2A)>rbrL@%FS9Kvp{^EUBuSiZP{QVUz?RGVO}w*nM)z&6^%O>HuZ6Q}kZU|{ zo7WblA$>y&j=a{~`+QCx=oouM%{aMp{n*3D&lg^6`MjX#!Vq-m`V zu6h0+Owhc9olo?WcZQq%JFI==pPloQpoTzeru|`kzQyw|{5zSPg}BFH?t|cK?+oMh zdmjr)oRodpYucIm%WAK(v<;#nMQs|r+47T{?BFAxeB}zo@wNCutGkUUG+Oc`Icmj| z+h9r;sthA|8uQ#rVK9L4Qe{p&q?}Kr^&g39Mc{=2ZI}Fuj z`#7H)U>B!{c4n#A0w>HaPTdeYwPltV#!kcL<}8lqH*ncYXy_Lji83OmqIldmrtg2& z9cIw4P6^0;+Jk!1AF~}J{b_t-=|7HK)r#KL%7)P+_>x{ZP6l4p*Lk>_H3{nbFNNWI zhF-SVUIB@ns?1!#SxWgZ){tYIv3Yups66h}U=&fiGShUBmXhZ*5CqW>Id-`deu$wB z%;E_bO%vP`CE5u>w!@C+*$hF6!;JO#1@Ojz!0eavS3(gxcq6EEGbCRh$-st+y(yuF!*-(b z_B?jJ#_g*le!`vELvY>g;lFVHSQux~#^z#tX9tqqWq&xt&6(8S7-NIJD}SVNRtPd5 zXUu1Fnj5;=Y}OaY4c%ciZfIgPI1V>(l5RuXfWQLm>nsWwOuGVACHNDA&U=&Ww{jX` zG(ZvGqcOpd(9_arZQXx?2aZlF{l|Xn zC2=8bfcLyuq6N|70aJsqo9UsBlWa*h@Ud?o;@>&LMJzo- zRB5qY{n<;n>gbJ<;8iEpLgcX2LiWNmUTbhxX+L0u;5vE|Nbf{W*-Sfr@cEj%x8_-Y z2Gwj%Xk71(4o<3k#(8#pZgsC7g3N@tf)a>yBW@=fYso-h3w&iG5fE->JJb@^3g_ub zFrNf-ZNc2V9UPWCM+|1aU|xpFg#W22kZIg>F=hTcdZkqQGP}Zu3a%IDBHHC0mwqmFMId62knGj&VRUJ4ZgVYWZ*nb6Z)bBY zICw2|V=YrVkq>hB0cyYZL@Ntu$ozPgl>lp_u>K%>!* zUpE@_>WAAnVpEYTnI=bGzuWVeNP;w!$@s|oc>SjH();1~753_=Vjc-K5u#wlJQGJ= zA#Mx*Rz)70U0t95{JBhmh%42_=RX{8y!r`-o5Vc7VK7Fb4#VKcn-oQM==)ij zN8L0Z`(faVNW>y3l;7|6eb4m0Rnm2y&1T)%E_EODdVT*dZ!fNbiHLbeCaT~`AnaQK z(q`U*zq_$4azQUfJQ!-q`2+M< z@=y_V7iqu?;;p4h1w^!=(!h zWq_0Me2z>@tvRJ}hBU|1N`V=_GQKE0jsT(FZ|a`rwGIW0i3QJS-hbgbCR z?ky_bV2GAJhd{n&hbvtz}WD$wu$J6}E*CXMWp-@3CGaTdim0$mbtw~zQKoF}6k;kf& zjyk1kFWRTRqdZNDPRtAFxvV`GJioJfBy!LoVN{H`g9HYLSvdqAPDJik&s19GfzYq| z?p^wsMO-EwR9PZC2ZiHGfbxt|@Ay*xI%IuT>FaA?{vjLm*=rFn+=EwsHOR6t$09+- zr@42$+a17vcc1rO9DM1mAWf#A`M6!5v>oz}K@NJ|-ol&4P967O`SwqI{Bxd`nU>tn z_3728POk_5>-F|tT6XE3y}JClbMoN>w)I~;@0?uGUxWSH&O_hJGSYi{wJ;h}0_K&) z{K$(%D9hMmGa<*50xT!cYi6qv+I+u3b&ak{F5^-aEKQ<0<585(7%z)Sn#;e5kg2&U zM9g>?OH>--vtmWcCVVOw4+0cq_*qN@yAjYi1$}RgqMaB1@$|!j)RZuD<>$`FB z{WZMq=-E^(%jFd00Ec8!F%a_*XUXyuX2rQcb71p|IZH?MTj`ZRpCFQG(HT#GdJ&W$ za&snbg9(VZepgLEXQ?pjpH(rfl=q7C}u(=^@(tFGgEhC-zV>Vm;0j7BnWRB=NH zb*@MRvXHBx81XVHSl8|jLrcse;~E9m5D%(Bup*q z-0vcKz)`v=P5z=d;o~okq3{wtnWG@pWR$(mOsqJtv#{^7$*D`n$JB@|HXT{69ImH!a)y85+Ff6Rmt`6;Q{( z3dLEm14ae5q%bm_qUA&bV0x*;jg3Em_{V9;p6~V8FIN8=>h~-4NoOG4X$+6<>^9D` zFLm2^m!kK)cIpe{j>%6YJQntCYf(}C7zb0yoYUT6!xC02f(e?x2uvqhDo{myKZNn- z#ROIfCf=~lv6A4G+lY7miStXgu>(FAMe+EYjQ40xoO7CQ%udr#bpbDpv|%@{D6~4J zU&?{@sT8wi=7De+uUU~5Mi5NpiY+E{w`_Z9cVV7Lg7kGdw;3-c%=7(Ik;BT+a|r*( zp!)HjX5u$E@8218Op`-sz6vl{?R zmsdxdY;$Ad4J=XcV4_zK^F)L@Oz(-axd2dONk$TU+8h^0E~~!qp@4PL;v&U5 z5nnB7fSU9c@?vpx1jPy?wv_$zAO8*V|IdH?5AIcryw3%=2n+(Iu)WQJkQC5{y5x4u zZ!;n~q&y_Dok-;3ucgd&B-drT0($lc_#6U5 zQ9S1iLndGifHIzg5hyHR1fvj2g|04qAmVFHNm8yD23Y`aKuRdAP-vlM0#SilLKW;c z88kpi5y84~ln%*o0c2RFOEWPfMIvdRJA4E~V6z;TILHhHh=j44(6cjoHAWa2cYHwM zOHw2^AV7tBAra1k6xI-0Z7di8|H57(p+NvuEv^&W6*`J8d%d_b3;Xeei=J@N+PG-< zW&d8d2#kovMQ31CNuKZ0GxFja8)vs1f&&efa1jtF6dh6|Tm!R-IMO@=_VxCYZJ^{{ zy(6HnM1iWd)d}CBQ9Dx}l_UhDI$BRX5=oD3;VdZtoxheK1Zo@U`^(AO4;N>L8#sc} zv*O#pk#4sO|1J_u%&I0tgoKYRF|<|9rq&yd#7a|I4Q5`yH8DM_6S)DhQ-EkX6eI(2 z2u@t@e^5l^bg@H}jwQ$#xQnjo_b4d$wQ$oPf58zUhE`ih%GUM{+ibdr&Fx>2J22_t z;UAa7BqMSg8|S08T-5kVsF0eQ6L`#Ul##Td*dS0aqC;EsO%MaXf|ZB?aDqh)`_I=x z3^>|j5Cgow3NfGyZzYjn|HCpsoHz!FL!?G-wJ^yMRbu9Xk`%8Lt^))Ctcrk)X40uRh2HCVM!&4wHh5o=sp-48@eo455aSYVA}R8cKl!6=i-iBjw74M!V1yOINP>$y(2#PhAD{c^xTOrYo6vrSfK3+!#pKHHod{JGGXjDk)}X&7h2JKa-v0E!7FZK+c81{8AyI}dh!yV1YmR6Fm7 z3-(nx{0$(H57I}&fcB<=gyqzL9E}5{uao`HCc<=F45>3=e1<8C1=R$CYv!o80bMjlpSS8I8KOx z7wPyDkEX%~?Er3JI0)Mz-T^}=GYsK?6A;^Nol*88&3D+JQUx4#0V(~7Mi^|cO7UIH z(qn>HR6tV?43l5M!W0D8>X0?;)N^O24tAO?FKo;6UaRG$Yw5RI4qVHi(b5MaWm|Te z@4R#^d;6^xH`;!i0vC_%H|N>i+qEsb&3ATRSc^R9_sK6m!EWsE1iQZkyZgJnd%bH@4>MTN1b%xA{P<5?!833L@VD|d$^@8k z^XHRGb>tO!3CjkToW2%Wlmd3r!2{uK3<(~~Q5WMQQGii5GEB1F)=2!UA;V{A_B3{a z)^2fIKwrzVwVA^F2Iaopr+=x~;YYU>5I-~-zDE2|DG)M+fFL3T&uo~DQM)d{u)9Dx zD{5q6Ds-e9av0 z;E_4p!O9$ND;}ZHm6W;w^P7XW75SMdvw9;V43$Roe-DVX&Jz#<8S02bCRu3$3ZpRM5tL7ne+Bd(_IHp04<}?LGQ)hbeNTZpkylehS&OoX+patmFTi1 zEP-heHk)82%Vo@AO%OaxQizO2jB1E3lvoDx4+hZ8Qw`jj5}n>CE1u%Yj<>`7x2O z!9uflkzKTWcteaJD51p05Q5el48<&!_JB>-1mFQ%nwlR~S~{g8x#2v+Oo@xONx{%Q zo}lTfBCL9VWkQoFNR-Ga5W>}3xo~BGW`PPLELcQVo!k`s25T`=7HgoVF+wrH;JaI! z2)027(O0X*-_(>yveOZt>q8@mZbX8N$D$65w^vfvWqKe@-GA^YNIAu#M*K37WAJCx zjJB4m8x#tAMpX+KNxa;-2ixKV z6ql?Wm-Ki0_lrxwAKm{r;MAVAxwrv3bihzi=#ZcVbEz9_)e2NKVrEyE<7ybL*~Mhd z^#hlDU+o2ni>=X6jtXmb&#(+AgP+&P7bZ8f|y)DnDj6p~~~6cm(mtTx*L zo1NU~%Ghcl^<7inuP--05lTMw|rnIcfBGw}Kf z2hGEEaS{xbrvTIuSK4_pJ{G$A0;$($GN$YVN6QKeV<8H0Rjx)rl>wABg3+&WmWY{q z-de*GUVFl8YvZ;1mv8J1G+z7j$>qEAcRwGpOH>t`mLeH7mEg8aLd&)7VI*4%vJQDs zfQKAwN~^{wG9kAOIrAKBJn53Q3ZYaP#$2JTmLKNn3}a^shwBd_EU2~NPF*W8EvDlr zt?t^t(!s59ow|0sTh$-_=31hUyxIx6Uj)tj_TLX!YFb!DwJGBF+|NdQ(4C8x6n z^g#d{s`K<#;wVG#XLi^*C0s1vl!UBfG~YpkZ?YLy9?4%+$N4MFxVgPim_uEu=YdXO zrCX#V3#vy|gOr)59b%gVwS!wr9iYXGOYlOwn@GM9#v1IeE@|mGjMeL}hp}L^M`0|y zd$m>qHIlIjX?aZ7U{F?MY($I7uCGr&AS?0c+z8bT00IV9ar%&pP_IP-E)D0o(t$`V zg$SyQx`BBv<#JQCGKMaDi#=YaS1x&Ga*8^km?-e#wHI8Xh?0V;4A8XAxCslA)KzQS zI$VTDQ-EU@?kJ9D|Ck;fgRhJcGMQ8s(&F5wqqU%7Y`X%fu^_(@Ccy{4DuyRzJk;5^ ziU6X^Y6t_JzU z+~%QcBM#GW&bD+N%Jvg-d_s=vBgfwU-u;l{VE?`q2=DmRNd1?0tXv|clGx^ga^wAN_>Z^QJ~?%Ru?=0=yYkfyQ}giuCy|7ebVCI`$6iaT zN3)Cek9fCD=&+W4($#8>OHGz#za(j~_2a@o+rKuiH2t#Jh5g$R+a$Jb{`#fEcYDXF zcDX62iqi~?()$k5o2xVELd3)q2g{zftS9UOc6Ga+h%q9}#Buvf5=ToY@pmJntFO|M& ztZaN(l`=+x>L{OF=acJP+jZVQ>C(URF7e&5dmgh+K5Bbg8@$`B={I#XOLGcK$#T)E zePBaeaf>NkW|9RIvSR!ae9ORe?_i~Y-tX<%%HF}jng;sdkp}u;m4VjflN2Mh*d58C zZ#imh8o-e8gY5P7BBq1!?eK1!;91V8I7e@%j&Ukue`=0KEm*RamseHoR2Bj5`!}qa z;CV0stH`!~VlQ$1fu+`W2~G z@X8eH+roJYx%C_$hYE=7KtebqM*C|V8C{leKgHpCxhtH!;$noXH&>kzhX^o`hq(x-rOOX@dErHhSKTS zaKYTUc!~|59NhX2uK!|iPX~AKFb79fPo)hg0~7seP)C-4JdIPi&TN^1B7I?<8>YW- zv9a+9k0oqvm>ynh240@g_q6cXx;}7JuNsGG{4^_kJ)R$72Dw;1RrSe@2Y+KjR%tEx z{nfs+@sOnAn6KWduMAFly*n;~_T2@m{_a}f1V?)e zIDz+9fs+exp(sYyrCKG%({~%eSCX@E2yt6H0I9U+EDJD@f7AKkG)D)I$>p3oU7_1^ zQ&{^B-VX%ii9JKf$4QF$0NV@PYbi|WfrTFqbtFQBW>F53RM+^(EoUheUbn8FHnP%@ zA-!qqsF+|P1=cJSlbpV)g?dBF$NG9)wW%)cvJ*zn=q)@yDnyP6Xdo=Y3y$Wh0)mgi z-0#$-*qT9{uK3~UXwJ4y^&Z%JfH1^a0`!UPooZY~7a@=wSWy}y^?$m){@~L6umi{t ztslAG@JS=azvHT)yQsI{y!N-}E;|nfy;jSCYuRhG?DuwE%gZOg^8|R-20XpzFYX0+ zKnm}h3_sQP!_g$-JG`aab)}^g=H2(}0;|Hy?gst7_jzi1{Tco1SHI7r|N1}6yPw%_ ziy%Ho8W$EZ=}b1*rZ3F))J>}0$knD5FL6M8i+IIZ*4DL1bC1AXeV2LtUb`;zq_dDO zC25uvmeLHr$E`WQdNrwjpxA)`_zi_H>3n;e-Eh2iv1WnwD^TG#Ruj7M_WS9_?*KSg zA6MMJOan)I9N=7eT(PoDqjqr5Z)IG@XeH^J6iHD#08=`XQWOtLl3m&xI^uT1VSWO# zU?%APo4Lz{cg%<^kk^W+8ZizzQB?)%E!I3I_SzJ@xWh&~KqtseT|ww-LtGd`WgcDj zF^Oy~QoU}%%pi3!9C*seeww3J1cH=Pf~eG=do*PtBGKP<)u^~ug8?BT*A-EwEy%f= z;AL~;=&3#d>tN8h0Uesis%DtjVyhUI@&=)$kN;fN>PgrcqDlupZTW-w_8;mw6_$i9 zRt+t(CL_Te%jqL+RNA5>eief!A}v*OLqMU0)JU8sHsFIl!>FoIGt^>9u`7zPRGB-7 zdX-2O+VK#aKG4G>`%IU4V8Emk60FQ@Ddf~1Z{iP-SbWbK5wO}C7S}63=r}hM$!dt)tQ4_W*UC1b0mM2>Z;mbW zTBr`G6o_g&yiNT*x-0@X$yj3$*6!;tB4c29t`H2l_Wee)zK*ZcO1jGjkcD=S4+b3Q zejQ|fr{ihYj)YYDDhx?0#{3%9DK=5Y2)I>KOGURebZItNzv^Q__cu3qF`8&|C;vm} zy;IvCU^C9>s#HN*)FdsVP!}IiQFg5gwqDdSZG6$~f7|=krMR(V-QS0&&{T9BUP6bChGKEC9vRq$m4?gn= zrQ6vlJ)vxEiczq;U6D`)tu1mwf#)j(>*-V+X*xRM6u;+5JdFpSqGjPssItY-yG;Bj zrHyz($p{3$cq^AD{Z$FId%~IJk%mKdP!W_KqS-u3m7^JDAN5uFnyr%q9&eQ$TOBSu zE7x6Hve4rOgqIiw7)lC46acS6PUS}lKhVg9Zw}F*Zz^tBZ^Tu}Sq0nP+haH$bhkR| zJ!|;jHEN6u!Aqr8riY_ATE_?1^&?nOBln2TqYRt#xPR&O&%Irk^6j3oL8N96{+i~*i{FLg6me3C0e}Yyy#iE~ z6P#R?i9|&XFfn4@ja>GHB6sQABgJF?6!;(Q+#5!8s#3Bi3ef(b#qi|j!IRJO1-V_ zZmpvdsE?-{mFlzVGnQGt-jwK1P@gA@y$p&V5K}x)g&V3JKZ$U&Z0VRNiZV z2xikEKBNAPVDdV~+;I5A6A7p8o{B~EO@g-q!#cJ> zc^=>zY)uY6cXDXE;omkh3KqOV#&ql&BOzqqr${OZ$(J=Dh7ku*N&*&b(Z41vgE9ve z5ycQc6pbi;T;fkP!4#Ki7|rlA$r(8eZWDh<#YE74Vdb(z9tg_(H6E^p71}_Y$`Gg9 zeO)g%7>Jn)xxuu96>SPwGYc7qOqtjp4prVr$sSzfm{t3wee~P$<<;5g)$u9(`F8*K zU6=nTAlK`T6uL^bWAsSu#V5sQ<&gkmqmB-6nf;Pqmqi>?3@GU zzTf**C4%AG9!Td#MYk3(h4CAioVlj=S|EiMOc&r^rakoMic^&mo(_yVwJ-~;Fecqz zMQDsdrAGwc8?xg@>-KXuvq;%s5Q4K^XA-9(Sy9tdI#*NHRlCC1__J_htua%5jfTLG zN5#f>r)b9b6F^;d^y8ag9?9Tl_sDd=)OfM2$-lkLSB?H|^mkSL-Pzo&7uC_3Q|jw0 zNBpZzve)_z|7$JNrd#GSB>$paD;FxS({KE2TI|Ls6lHGo`8R|bN(+>_EZ2k0ge0O^#*-;CQgyW0Eyv_QIL#D30|ON)#bSBoEK#o13Qdd{DYVYgGnHFA zFM>t7-Eu7QgecPPVps&8uOCHv9Y$X?iWJ(VoYfhAld|oHc;X# zL5bP{qTN?tDL@ou&kF^J7QU(p5PjYN(Skw#a|VcZx6AqZ&Ka>9?$}<8uMf|c;g0>2 zle1p|NFMyHf3n|yr&X(6TlEPz<5$WPYa8BGN+6_B1a}l%gNyp}L&owEN66a7#cdtz z2P%soP0wdoh%1@Qn&~Q@?47_z0W-KqS{onQ?TwZ<_I2B;Mhi9nDNa7ZTEaA@tg5MB zcv?t8WrCQIg~JqCnI=Atr#})7y{2m*l*U(FU1OTZk)Ph-*P~&R+Ft&!Y!xjLmbs33 zU~xkyf?>c>3W=Lp+og0_HOgtKc-3dg9{vdPFJ{b4J{53@;_T-t+7N0BH3KMjX`A^R z6XkrI;gi@)2LCciRL$6eQA?)}BMFj7O^!!?J338NJl+JoF>LSQ@LxV4qOAx7AIv`j zG3FgXGYv{=P*P=-w2A)QIw)zo``iwb!caD2(#Xi>mhCT51>%g`-YaPgV_9oZ3omo6=EJ9%m|0OsrlOpg8<5VjSsgmFIqjGlcLS zdYwuj1zTGLq`>nv%9$$yq=!|`K2b6A;f$+zSq#}H0GC6gyOOe_v&~dj{a*6|vT6~Q z)Nfs*#1n)fu5B*@f>R704#$$Q!eVTO?99Ll7ehZ8D(pZyU9~`79P@H~hT)3VXS z`LMOj)Am&sb-ssaBY>`B7qFHAHADSL0st++J>oF34HLP;L<7uk7QPGQ3SuFP$joG4 z9utfeo#0Uv#2R5s^Cg_}(lnnKny{TBL|Z&{dXP5{MvU7xET`VT{`p^qI`yxA{x{i) z)`$m<0gmaN|1sDw>j)H}y`&VGy3{pg@93r+c7v3vBc<-^n)x@jzH~BbPdjei)1&g( z&tuN!Tg7^beVC=94^|YZM%YU$I=-bHouJX$7~@Tau9vS`@3>vw5I% zaxHYItZ*4Sh!--{l{l$6-7f>1cFJK>{hGtr+Cs2tr)tRz9PalQ$5Q(Z2aqZeJ^>{) zC5Gw#K~rM5sKoH4RRCB>y#z0jp-ZtrdL^uLX(}l>tVui7;+3eNM@mE`yA&`ibheq< zt6isO5Z|DIW-MbSc14nL;H!W!hb>q2>?X^h35Z~vUG7CM9zO1jz!!KLzApW9JcpQK^f%(p8FMDVB+lR>gwIE=~dUdYY z22Vx-$a1MvUdVZcvgq#%LaJ`3QwpiJw7aakRm~EGtt|qn;Q5M>3YE}lf8XoRux{MG zN9XbQHt{ES53JYaxQ^Z<#5IIV4CxodUNR-IOes>I0L2dMR}$ht2O3g%k{Hz<>oYrE zI3A*3c*7sv#xOv4V+)FqietkXfdRr#?>SKX6Cs5J;1l}O1IMCewKa=|Tvbmoc4x^X zPFd?S*BFPwdXzC68ol^+AgEwKu@dnRW^fcw;7ykp+0(V(lChOh1U3`Sa&hhlu&>d# zMvDKGF8Cu8W#18f5l~NvU8ex#3_IFD0R9O?39KHs?*Tj{~VK8JJh^er|pj@=zDAWb5?8 zaFmC9|EN!6$`rLZZ8r$CL7>AW{-N=(>+wd_I8`jfWyH*ijxBxtusvB zE?rS+SPsxm5s+k&D>70g;oNHE_p*Zn_g)c@kh zuln!yH+Q$zN*{v%f68OdySlwyc?h1b{H{5VWu^@Oqb0^loLzM0?|%y(-ojCBuSLfK zypXDmv!0}W8#HikMVbGscIGuQNTzcdLHo>J3kIcVVQl2KqTVwb&bD3XxF-H|6|l|+ zm=HaYs5)F5Uk*Oo8e5%Pl$s}#7X0%RTH9xpeVscM7f7!cPWPaN*f0+G)5pvShr2K! z4{vhL8+`w>WOrx;-J*g{r`z~53A{$$J-;=iS6=$Avnf?H0J2rHhV&LJeb*~5eHX_c zk>Exr9?CyPIaA35K`}09iLY8HT zeNw^E=+=pDjjxcew>`m-am>e^a=6iyWjCs|Z~)(#NJGjELPHD3Rc7V}Iwzgd zPTqd>U{{tG3iX|QGBbCWFsmZEh&vo7*WnPrzdF?xDL@!+ZBC{GJsv$kZhj)BljCLL zbliFtB=!ntn}5T-BFa$J1!zvI&1tprX|>bC(pq&+tG(A1$h-CuH}K3^vM3@*+-QVG z#YS*Li&fW$jWmR<$aLRvJPdCh^!nEVlGeV+l??mShHLnc5^dJ5Sz<*b7p7cZ8?SV? zX}k-rsAqCJP^&ekZ`coN$@x{^%aYQ$(fp*|w2^<6(>L?`LPv(@^6>oI-$(JlAFX55 z(aP%HveWzJM~khf#bYfS?hiXsQY-AqL_`%ViA-gcM>xTMzJ>DKSZi}mVU_w=YjeRs zt5`BXAQxkS6jkIy*}!8#W)kEzkkMH4u4A1A zb0CT3_;g8F%O0)ul-5bHu=eO;21bg7`N7 zkrqGPHsTFtE-IjbZ|s9c!JRuCW{oh6LTp1!0Xab6dPegcWUNW`j7g_qY)mydW6@I1 zo;1&TBsI#u9m+{*i3&Za%sJt&&eKhlv_qx|4ann6lWMP{Q7w2K{a%MxjIktP^yn(b z)%iBR;wrBFHB9s_P+P4Cb&^j7MyX{jYDX=j++Dn^+E#RzWfpKbHM+r#II-F+yjQJO zy{TMHCZq5&gqzLs0><4fT~F?HH4ZbjwixUwEntjDMJK2w5tpk3P#^vn7SHvA4y@*c zca%={^5C4`wcF`ziydV$H61av&)z)942GSZV{j%>yRPGjZQHi3H+*AFY}=e96LVtQ z$s`lowr!ge>*Pb#-sjXlr@lJfKf3x)U;R{9t*W*9Ue_bHVfq?9yvrUIV)XsA%iI6U zzIIk-^V-n9BMuwE>nPz4T^k~2<`_zvh(@h!6OvskFVT}owyKh}@Q_Zn_Iyem^VOO8 z9wB!vI`+itMO}DSoFz!-48&Ayz#gEBOW&z_@NNFb@hr=|Bf_jzoVsgaL(5uKc>O5d z+hX_t;=W@+!Vah~jO?(i{aC&oTCvtuAZ10^Ikp*wEqocUUsL#kMooA^MAdhv>+UXq zXHo$vmNAymPjGOQYUo?nc}}~Km9K88v!!{KWAIlG#-(5pO5(O8qIaV>CG20me?7r= zv7eplPE0r%a>jQj@lM_nKd`!Kv!yE{Qr?KGE5ULz6;bU2U?+ZJ2{p>VC(%x+IO`e$cs-JVW0R>2JRxtkZUEax8qT9W2d)2;mmQ{5Kpe}p>^>r$s7bck+ zPKSeQH)J)+1H2c^Z&13?xUZ9O?j{dp^6dIc;gtsKvJN-9P#7OTON zDv_60E#Ll1xmLE_$G$Y+L0%>0KjJ-5`Ej^tEXAo^YT-G62)736YH8`-CF?4+wQH|+ z9aiOc@wp2CM!{)l$KHHU@iXWL8jH`Rn?oQ~Ic`mJNR6!XxV#-OhtEES9vpt!} z4wG*}0!y2zGQ&^=1grx#jA;`TPH@kH@aTvTl;zHYTW&YSDaz&!kpX#RHGu-s@Ni*q z;#wY=Au4m;5w?`ryDl5A_lSJm@l%OvvqW}2GI35YPdkLaH;kfKg~X!pTgEQgy_*dF zf|TyLj@O(2cKQsO8ciAWfJB{SymJx-9B^is&=RyBG#prB6p#7#Z(NMz_n4w$#8W)dwFZjPUTB; zp`gvEtSvz35_}Nq6AWzFyb-MQ@V{A9`^~U=K&0OB`FD1O`9bg%CUXJG-9ttL%bOdK zFskoek{vJFs&f!C81kw`p0enQCpybylw8n}x*5RN#H!`< zNtVz^h!uVHLY>skN6Ww#jhIPKMfSN9pNoq2FTkvCG7;Uf?#R4P?rG@%}gy7AG;@CfAFbBl=N!2=V`SRd+ z9HJq;9=mhoX1E)YFY-lmuMJ;bjo_iF98oA8SUv@~!CuY`+wh$}k6+Kxxd6<0P8qbv zUunJ+^RCUxv5)2eIl)|HYXVc)ZUpSv4-XD+eod>k5WYNR8m`+74Rva89zU8h z6&q(OSUTuregxrJp<7ptJS12@9TYrvEWt|FM1Nd1be=V~3sg&J=xhqLckNCnRkSl0 zk@f0zXBMW;#L%|kHv{PclGD!1*LB{MxjBtQG!Ict z59X#M{o>#m%?Xw=^B}a@4mMDcC6@BnpM!NN1R%@bLP6_de!6DG=Hfq+n5E zCEG|*V7+n=fR~yI?GQL3i}ZD{9RN<%0sW0Ws zmxcNH9#c8psaGUPb!4=GG>!bUz;e=^ob#?GF7>cTm45bL`RTxF?yOwGUCYe6)?mz?pT&@vq&W&#+Ul-;saL^8%b{Zx1JNuJ*puuEHG zJ0H=gDUxd0?%rgkJ8i2yh3;RaK>R<5)-1R1b6|4z(LbyjmuVSzu`k$;wYvP3XDRW# z$?QMhdikR^g)tmrqf1l01+vp%;+E%B>nxw>gZ6%^8_hA=M6m~}DFC8f8-Lo2rgAju zY)1(DMK1|S{W^Yen@Z^Jo_H{8gZrc#>)SlBJ40R0It-h~k1r>T=grF6@RBN2xRNcg zsJ(Nx#xtdn=+aG9spl4o$omHKX~vV|Nai2q=(TLZ=~+BZ>0cg2DGyuH^-*2zJ}-7( z@%oE#w0B~N)0Tg*v7uRo!ZOwx>HzeYXc|Kv08BMvo3uMr?i$VS4w)x@J}>Ufh0fAO zjBxPJlY$$9X|7Q4 z1N7T++&y?5onhR$3ScS3isEh+BWXaM{i;XRDV}a8_E4o^vZsE4mf58X)MxAv3mrr2 zB3u9DVa*o)Lj}=88()W4==mJKj&j zf!Av+djfZshZl)qP1Dl}Vh>(HVRyZL-MI~VrnZ~JeJQx)jb(aWxU!d_;4^W+TY4#Sc)W@WcI|E-?=JoO2|YQ>nf%+D z@Ug9z7RnkTmOzndVFWb7$j#ELPI!3MKH)P-k3!CxCQR1ERGC0cDIGZSs@ht#Fn zm`%94XHIq1Vz@~+u=jUtlf!T~VbnJTztn}sN5+p}xbQS-Qzk<-sO}Waetj5sSU8fW;ouPz24MJAAttuRy=&oo! ztXJhPwmVX%<~?(ME2DBxZ+I9y|4GAwongtvLsst;e98`Fks)y{}`4>^AoGDL-hgaGXYmJKb};@ z(gHw?pRrQ%^YT47>$aZB#PqY|PR*P7dhyR^JYNdbppxOw@5CL0xA=flmI!kT?}4C7 z-hO%rPf^{HIc8EfGyFdVW4>GwGil&aJ7fvW@5_=b{zPEJ1J>^!Ey*UHtg)|2nC9oV z+dg}#bzL_cu5R145fW2#J%JJ!R~=BFy9fv$zVM%mir~s^hgTBJF*7140tO3rZ>P5Y zufx(~IttpfdQZ;F-2q{K)Kdgz(aE~*OLGlwDFmLRPMCb&Q*sV}Up0RTw<#ibNDC>W ztQ#6d;z$8!#k}0e*}i{%_q^5BauyrGXE9RNQ@h?D(?n_-8`)fIwXnCpQ{&L>>cC#X z%VwIpmnyNJVnmGj9ixCWiO3@N-O&SZ zS|0yM8Yw^SE~RkgQ##07y^~Os)d`NC&?Iv22+a2B3NC5(?9r3@>I$!ymDTILJ=OF& zM0Ld!^H6ipTVnN?ntoe~wT0=lZBR2k=BKy7K`ee=IEo!2+61zed;zN-jdinDP<)($KW`bZ40r+WZVVh zhXcMO$)KOIm=hAcrCfPHjMM@gFS*7Apr8V1aO^i z+}+|@Bzm0{(CW@Tc&;2rFz2@qqF0rHh29uc^WL-a8ddNcPolZ>FB;)EZ$B&dhCxG0 zT?H3Cr0YAMDeld4;%OUw&~IbPRUrOi*R|N!l6T z7mfcB=;UF27dc|M%yU8{_hFP$zdqpq79V{1P`7xxqF19n^{}ojpk7{!)xCee^W;o& z0~O5G`}wKA)75c55d2Am=Kpz<=YFKdqtW)Ltt|7`jh3>)rvY07FWa9#HBy`){m&b8 zF4MVi97T3Ho17m+Qr9ibin9XPC!x7!x&bFByx?F<$Q%e@ikryz)7=Xt68R9uV?{jW zM^4B!h}lz5a}mlfC&Em0ZZS_3iAO}J-6bU#gvjzA3Rvx|fWTMg?4kl2F>L7p*F8zc zQ=dS8HVWOJVo;|fQK6-v^TQ%n&H$P}SHsh})RKsDq@xa*P{nFP4B=PfrTDPtvpfvu za*1KRTZA<)x!%J(eowbbUOKTT>wT-2< z^|F#z;aat8RMUv6+*lPzzWcs16kT{kO3bgW7RZWHRQ#dY*R|Hh>Iw`RLG z9lut83hnB(id0qO zm71Ct!;NM*5geS~*I$kh;~vL8--p!uBq+l8JRRg+#*a#^EPsac9Ir1t1~ zRDx-BkP-^y5U45;!%;xHxo@pf3q|5a4EbGU*sRRH#CSa{uC2I6_E5P3I0Csq{<#}l zU(`k$>l1y#&*3Cq6}oi$a^APP0yq^K?Nr5%;l)%X+_T0@FaUS_bq&aHexX?TX>P>6 z{IijGpaFbENZZt}kIGo9k*CFCsGaIYX+ch6e0vMw zCu6A64TTP%5Ks)hH+JWmN8Fk^r`@z?wljWVymoTKf&AQ~dJK1J1lM{B5?c^&m@?Pb zxIdS|eZfo_A8<@^A^tl~;glwspp-(Tv5+q^G%zK_oB$JGeh+YK5W?;s0kRBBukP#! z(OPs7o4yxV6361y%RE8+jzW9#Mut=%Wk*g`r+j}0IH7Jr1cmlc$F;5LJ&Y$LtS^(W z`vmuU{TlPG;F}99aoQ zckZf`IwJHTA`1~H(Q|hGp5!*rso=xvZK~55777&0i%9gS`iO#e<6>jigB*?txxzTm z#BX|nH1PAhAJS7)wsm3gmZ3=P(!7`Q=p-GVf+EQYdoqg5m)w9vHWB$A z6|O*AjF$}00eK@7fFDnFN7&7If_xt^3h+ghtec`fv5~ii z(_MwO!@}vV8qQK_lY&LOO+DrQ6>Y$~Y*5Co>Tg%dZzhxI*opx7V+)I!ssC`Vu`i@o zl%Kc+#G`(96{*Sl&0MsUpU<_&#!{?Sm=yL*6#>O4G3UY(?7FLr3%w@1T#nq>rqU!h z^H2fnw$C#IrM??+@Z5hJHT@k5C%VN*C0y3jTC#NSo@V}#ZUD#RWi-}DWe1`RO)*YQ z6NBn`#v!m(fLP6t zV*DAZYUkEu4inlnEc1w637T{-^b(qEa25LB(vv=IBp&mL-Z;xj5k5{!4dj+Vba#3M zfp{3-)gYIOS$=SP7 z=AZodhKr4x;?Iw%t>}eVraTZN1{O4_Kc^*X7a2@;$)3epXeMpkXg zTUJ0{1?(UP@_fMB)y1I#LK;89d_ti_zp>GU;P#c+f?R=7T2@_;&hV_%lSkeW1bk6)r!NviU+rySbJ}&{6=S}Bfue6epCX3CEMln*`dlD4 zf1AN07rZb58o=#}(Gn=`e~4eSL?G7hnD4ShF;t~&C&xy^rAYj7oDQpd>%l== zuB5b}rfTo(-j*B@NH9)&${=f!CAUGu(umuuZCbt%RqnupnBC|OEu6s5OJ?$2UVs8# zy8kp9;AV3u7_Tx}pu<3fd`|o}u=8L^4W~_MG?qzV9&Jm@5IAw_XDqUg-eQOC_XAO+ zc1Fv$3+~*kQbC(jP!MMC`BPvdmj5v62!TO?ngE*z^#mfZ{1nCLMvEJ_IKo287{%a# z+XG#SY+L*&IouyME%21Kudknz)W8!Bh{tI`$RppG$ayy?+d&F?7Ka zJ10Y|`Qx%KaiNh)kQ%@fGi65Ai)1Q1ELqfo z_WvB_}hh+J^o1F{$nD zD1HZOj!5eo{J}veotNTmQ~2{ZGw(AX6ATq$k-GUzl$YZcj*zoX{6dk3i!{J2BX@xU zsVe`lMbi|1P(Om1yY&z*hv#P|h#;WFCTYPOZ9`?)rv^OVt`%*ynn|a9aeBcfH*@Hl z$6n_$%THSXJ&ctiTs1UgRS8agz)$cD+VaARqNI%fbEW%A_G{z8`~*cl%Tq@sNQ{hT zH(?Sr{wo7<8jQ6wG}!J|O*EcWt`48+?J|dTJ7T!lXe85DQI`83Tt3wz3JfT@Sxj2{cU3=q-{?5_L=w zsSOw#+Sy>~x1xODEpr4xYaKxw0GUpS@Z(_Tm>@DN6bUd?Z2jC?Vx76%y-45-bl>lW z;X3!oL0j>;^zFS#8TRqb9|fZPs0s(WWW%b80S<_Y!0``cOokzO0ZbCP2jRpnbaLUy z`46x`VA*8{GOc5x(~t07FPlo9=*i!|>&_NePhCc>5%$l%ojTXmX*+7nyev+7It>~I zhiW>#?;z_|&~l5noSU3vQ0sOe`J#7%cTb5e9?f}7O6Kv&X#&dGg=0WQL?|pg1LVUM z8663TF2zLn@8(F;j|SM6BCUR7E`7&csboa=NoPbcK^o)=3Idr?g)Vd-Ebznb_#1*l zS2nO-e=Cfo;9>@V3+n$#VA?-HIi9UCJojT^GV>`Ti{Rq2d^mDNi}}N>g#F_Xx-16^ zRI>VWHx^j~)Qq`t(q;w1jCx^68(QaBjj(HMFJ&fQwvR=-J2iN8o1COiKxd-(!zIMP zl=_fwH+|Dcn&4H!)V=#%D5un{=Gs=K$o5;J5l!?RCc*tYIm{x3B>918;XE=&k3tuK z8QOl^y@cs{7l9ufdhI8IjqO#ObSE`6s~F&&(k$AG?Q-LstNdz*m)GG_q|3h9|CbuF zSl=^Wf`Pc5sFmcj(Vmxex3+7|;>P(R{d=bhp_Q_c0nc_68k9><@i>6+7yc918*Nn$ zsT*rqvze`}Csv8dYiH$X@0p&sQfpxx3z`&Mtcd*^x}Qq;leTOfH09@B^($5x>4wou z{Zrhso_F~yxg{bf-TIPLV8GQ)aedZ%e{$3QD1>KF(@wjwSm$Mis93BT>bnTiYI;*9 zK|1Wc_(bjOHFZ-6E3?!-FRY^mw)r>{KLSQBauwYGm0vN3QaibfdVd{R(xtj*{?H2v z$MPzvbWxjH`ti*j`A2Yl3Kvqc{|*kRb&O&5Ro~9IdwB)MO8~m-m~#gKc9JLy)%R#w zPrGwXjD=K)lDJCOpuGjE5>&(jqUN;dFz`a?DtPHa&~<-NFkHxDlr?8~;?iqy*Jh62 z8QmtnH28;QSx`qJwZq1>WH)9Q@PR#akFC?y3%pS%1tU;^@&nq>ru;9y0JnmjM( zu`Kxw{dLA5Qk)}U4b5uD2jDquZ+Wir5I*X4$4wrx%Bwt|$TW}@&9!q4MfOCD$5+p< zNQZkwuKUm<>T+cLowF>0&YF!sl{nKC&!U8W^kF%Ux-_}Ta@@L^%c8=n%FTpUF%-wU z%Vx2nGl(Q61wK21S^cJg+J6ARw)P*8T)=hCx2C%?qW!*W8An7XOt=ss*UVGzzQDHO zy#{-uQl>}GOP@t4(4+VqohLHxHF23m7{@M!?2Zk#9C`HqO55&Yl50?pVjqomP>*FzkYp?+jOC`P ze`1=NV=+`RZwYw3p>bb{L>!xqnIX#TMcLXatQn^;t7G@Bk~f`)uvg`;`o~gMwyTuf z(yXt%>gG$2fCOB#_1xDgC)%t-Q7ooin1E6dk==BKjXd-gU9?yM3KekXCqS0C3ojI^ ztW_!<99l9rNA`kJsDxgg)FG&NihRqrJa{lIYa?ea^JKFdsnj&7Bc7Nq`tP> zyVzX1^~2Y+>A<)cSVsmRdMUCTGmq`!)_dFnY0@7obN6npbsFlGCj9ehT%p%6b@lSK zeQP&VkQpT!c2~FK){>wnAi1x`+BK8!6`ElZT*`4?+kp^5U#%AdN&|yBO_O4`E&(Ov zCn=2A42(T|jBw&P@gWQX1py5M z2a)(v4gKpN{`d7?;vxNih==t5OFX3iB_7iMhj>Vzo6$pGMHL{WuWV{)VrggU?5r>4 zYH4DsulQvmacB~vs8ZBP)TAK)PJ{|148`~&&p>qY**k;6`NyNdy#?tto z{-uA2me~GFwDjMr?D;~4@^YD_AcBBU3W5C7;q(vMzfg1_;Qt9q%+T4{(9Xok@c#j# zQsdIpqD{t?_yq!D*#!g!Aa0|B8p1^>GHUnUs{fdBvi diff --git a/aria/operations-for-logs/8.x/docs/VMware_Aria_Operations_for_Logs_8x_STIG_Readiness_Guide_v1r4.zip b/aria/operations-for-logs/8.x/docs/VMware_Aria_Operations_for_Logs_8x_STIG_Readiness_Guide_v1r4.zip new file mode 100644 index 0000000000000000000000000000000000000000..4f6ceda0c9d5d13e4e02ef2aa00f457f838f8b78 GIT binary patch literal 282913 zcmV((K;XYnO9KQH0000805*eFSo)MKw%~yQ0Dp!907L))09H+RVRB_(L2_wfUr%sl za$$67Z*Fs6W^Zy|OmAm%UpRPQQ&dSuUs7dZWNB_?b8}xub!lW}Ur%;ra&~EDcP?;b zX6#u9R1;~}o`epvw4j2p8;~FoC6ojK0qKxXQ>cn-fC!-*LJ>p(!GbO#-Pq}%f*`1% zuArcT6$BL&3knJr1Phi`|92(?`S!T${{QYd{~kXl=T5zOXYSnRKKI^taBens^YwHV zNK4}C!6GfGhtnZ;!WfB~`k2D*r*2b&ek z;<#~G%UK*&xIcUc1NaeW=H}9ptndKjQS^WROvtkktRtesxmZJjBRe2!G1dV77gmpm zZ1nZ{8)IZ+V1#Ul$iTkXsY4rlX=tzl55t`>md1*Th~|Jt11eswe!(n%F4!Z70Yws) zZ!dD7r;F9oXPa=mZ9b86Fi08|=T5U`;33uwvN$ESkL)7@fiNivlWq zC-YxQ6jpcY`y)2zeSOh0lcpx_jYow3-DT>QsF~g)K<95`0 z+zeOHlTF-`v!=j)7Jg~Ms{BgI{4`ou<(1Six6y-jH)S_I%L~Bwk0>Qbz07iGAZ;z| z8{I#C!Pwv|{&nfo2aU%=nSo_DLT-+YEshqM(OTZ{fwp<|9go)a9Mg*PF`Zql&mUel zOuOwq;7;o6OZ%|)x|_-ms+$8p+}^U@7$TU2O&XYK~w#%JS<)yZh0 zPn?WpZ;n|bS=*mts&Z!Y(q`t#*yf})$sO-kk4T5rwmafy+}$$|( z@Sa^Q&;MLa&t{Ha{s#k*7aSL-^G(tV2Ye1KG;h)&4$QrEXYdy0{VS)!iyPeJ(hfb= zA1!7cHj_4qt(B2=^V(c7ZP6I;A4i8YQPrC)ulmAchhQoS($^GCZ56}$7+AHZRB0b_T3RV zi~UIKf$#v)+g`-9_C%e{k)E0A+V^sbmLE}3+^6LvSDT)*)tjHyYQ^z8(jIjkT_jicn8xAMJ1cE2-bUN!c{p|2U~7OIC3Dj}nb$

=yrgze$&Fz`8sa%zHmO&Ae~IMHY!f50yRYeWQd#|tGcO+Qu)+8D_UgP5 z8y7>HzGy*0P7pwX=p+4}y(ajHK#%t0!p8_x5IordAPDsgNd^Q57CSHqFq?saF<^(# z2o61x>CgHc^aLw5H_DC0v5p9fj0lHG&`1#1Hr9-Zs3rqe;Y3EjagGqXAj}sS85kN) z4fIbpKHY_6DRyK#2!%pHncxR~x(QiB;-aErq9WpAVqy{!;*!%a($l1*rYXrQ$Y4~J zfBI2XSw#h_p)&`oK5w>)iq-=BJY78^k@(XbV>2UtQyl}MK0F9YLPBDi)U=t>(lhnd zRMhnU*UP6SNKRa0wrI2vN*zMWp@ig6pIV@wAP6ObLKbLZL7|0&MMTBKB_ySQLcJ`6 zMhOX_g@r^!goVM?L~tDvmJ^Xz)3X#+pfbhOS77v$x9%06ZB^5(Nb7j6Vc^F}k&v7| zW2TZaPIHbHelC$@xWLHR#M;Kz&fbAcp)=e)JiWYq`~z6a1B2MXQQYX5*tnJPYg5zK zt>3UQJu5pWH!r_n8?UgaxTLhKyrQ!9P+k4uBS#w=Pn~XQJ#+S4TYKl#uI_8sZ}jxu z>%aeCVDRCiq2bZ77cXDE9)I)p9c&j05<&@_Q6*3ki$CcA?O*u!5Yhh?<_L zyd_nPxk5o*KUo}OwRLYzv&3uz+H*xePKV@l4dOlAC~O*H*aq+y@!>V>8W zp@8#*RV z9Bs+nTNhP~7rA${y2{$xPnA7z9Zq~~eyqG>p!-=|-0{VgZ`GcE^rJeG7w>bZ%r2O#_27zTrzdm83dQ}>#0!cTPRPdYXmT`ujB~K!t-`zA@g!fG zFJ;w^{c~5_d@Q?t=yBsOKl(0xxN%c!V|CslnL!-RB9^&RZ^-ZcJ(o<`p;Q^cZ_Fe%tuL^@L7EMO*pB?A$chbGy6VUrUVX zEIGgL*6513Bh)ebhzk@-G>)r+1}|G2-i2^r_*CH5BuR=7eglQ#qlH2|3Szq;6|9ma zY%y+VDnH1xGE)Tz5JyzC3e$yw%b>p_@vRu@QsdW_;6AADG9ij8FV2QZIckg8s_=w+ zDNp9?S{UTx?FEAUx?*K8C)nV@0Fyp8=au=(#?ms)B10Ds#YO6C=pzj6!?`*jx;KI7 z-jcU)wI9`1vEdXBQhKAM5A>$S%HVO)Zh_v-|Jgf!5JPm4PA=wT2*uN#Vp(TxbVodsSXr|8NL8^86fMf93)4> z=ON(EQZ+%eC&_~(?kA6Aa=-}^U>sdo%S!$qqx$dkK2;b|&Z@_q=K)F&$hO!{_D#KN zAAv-?lE!saIK~xX0i|#H;H(THeD8wjG}rc%UEPvTN*wb&8}9dyx|AJLJ*lTvQheZ& zEX>w$C1xS=uXFr&rwfFx$um-CvzCBa1z}#!#7LV?hi0lBnRIU0CucIM zbxJD8YY5RB`IP>+#1&Bb1HT#_KJ&;8Wf- zaUOZ*-10Wf1~W%$*1M&T<#*?SE&SX;op zUxu67UHQR$k9b23WcoeuM2jC>;z0;I0|f}q0}7cD_2}bb3^|}c1RU4Jwy?- zc$1iE0$O-j6`urqov#WIWcg>!38nJV@CGRZ6=)$((Yud|TJE1D7Ug>>dC&Y5sqIP1 z1M7v}ul+5=Bp0LDb9LQm%JKb&hueDt)6}LPt8Qj5-nqBtV0>aw)volr(WQOQ5`}fS zvoQ^BpikM_`L$N@+Y_feMv7*Zon)mkQ7EQ6wYFG}n5FAZZL6YFyOzFNst>As&v!gu zd$)w4h5IRRvM9gqJ9ky%iOX{oHb#y6AIzcJhOXEM5W&yy2pZsk7e;z_B;dhazQ739 zK@)hI%>8H>YfgNc0eFHaTJQ+Am?osl2Y5pZNaS}jLhzr}km`X?NU$mlK^UID7d%zj zo?$!hLL@Xo+0bcHh@U{u+C5dfQu^V0-4~^?C6`lMajP zghL^DDl*SxMh^^YRU1ZeVgoxnOO&Y(k^p!#lfT+ie{<5N;o#5KSXK$@N%U(8mV+O1 zkiDd;sQkps6W4Hy=6-_cE`WJX$X!|*no0A6K1jqlG7%@#7|49KoteptrVVSaP5LT zW9Mqlla^3I1*L@~|00c^^)_zSu28S@18>^fEYmjT&XFiCGBOA%~4lA?XF-i-|7;P5itB$`$nA z$ZRHVYSMNt?3Tgp3~XUm-sgg6fITc4OCl*t@7YS|?prP=cy`=BBBip4_moxA{qE0(k{rsC)!{vD%Qu+7i37 z#LYcKx`KROI>k>Cl*(vHfSZ{D0uop=Sz&*@Q07zLZj}h)CY50C8+TE+IxsZXxvlbf zF-A~q)rj?#Y^N<3^JTcFvwQ6K?62%*bX-k4)ehG~r>(AJJ8y8-0%Vo_q4|+^aJu%T zoE)H8DV3YELU>(-+hb1C z;QHs)I5Ajx?QL>$F6f91(4!2{Be}4%6_edw zW0TgGfzEi<_b6VOy>(?RbbX%r@{c12VJKbSCcsk5m6t{@&mC`r04Eu&iM`=*5#zZN zZ@lo(5dP{fM&+$RfbYo6uU8Y_n)GOR73n-dXB1ySO~NW<`^l3DZMyn3LSxm{C+2^6 zaob$f#=7v``)=i-GMC;%7hC*{Kiqf%eC1Jwg-eggS_XF39!r=P;7^}^l7eIcPqe`) zhmI0Ji$4JehM=RSw$pS$QC&PoNHZB_q(qW3y#Lf12$`{U{zh1V3eX5^r~F+^(fijq zZuHQ~fiv2PdAe<;`!EhLLES!fK*4s4)24)bRbHzuez?Q*cCW0cHYk%y%U!v+EV6^> z@bX;jub_jwaHsFJVzsT}LkgVSOt|-5Oly2ZFjSfs_3Lwg-yxwH7Ur3ERSj&Z*RN2Y zCFw)KZ}6EwCPJw&04;5C^C18qP_M&dQpt`Mrv&x7V5(B^1sM7G%by^&Vq~7iwVdYz z$40kpg?_92bdcCQqllWYs&EdCzvVRbbRU}mKZ>#PIsq1wlCJyi9($ne#cP>4-=$LBCc9+6>W4n%tHaZM59HuL%e!tF2h6n{w zZFP|%J9VliIF*-~De8=t1uM^3oy2k=6}fDsh9w}+m0}Sj`1}t$*B%dL`nShn5DNPa zJ1K378k4c)kVxy$givOjGRiu1Ff`>5c025%B$KSO3Z-erA%~*DBGrnhq>SS#I#Z7A z>hNw`yTALs=U~`&{qg?(Xm{T~9-rsqVdfss^<3BWy}sYuI)VgU5d9-(1dTNoz!a0l zr2=~dv=hQg>M#6w{twbshPwKvxBEw7b(QVImR}XZ=h;uslb$>*#qS$`K4MX1R^j?7 zU&}5YYyN)ce?J;WE}P12%xdD(~%1aLr$1E z!|I=g0!8coV*kEws?U}+W=db~@fsee* zDo`t_`t^uTI?LTKtrWb+a!Dp3S281oDT9M<+QFVIsRk%VMnpOA-3e??t~7@Qd1um$ z^QNTE%ITzwpY*LiUmpu`9sfXLb89lYG0*D9eBX)7FBf#C)6Oci4Ano} z>g{b!S6@Zj;`wlpe@7iB38+d8I=%8CW?wiEvqAc zJJ4HR>sy32H<1IU!6T6-np> zz)UK~9+`0&ZHHaENcV;n37&T=NEH{W!ix1v2Y2ym8J{~IaXJwAj#qX6+b@5s*h+<7 zD7c62o|#0axzcvv@$_T+#^1|U1W?Gq_LXC|_b4YUzNrz*$>Z^KY2b6KfmgSgg7km% z!H#sLwgjIk%$4Y)C>Ycy=A9q^T>a?_2qLa`zwu3<5d1TXK+Y~XFZbZCl3Spphx09S z;MY8UOekt^BBS~ThZGa>s!qLHs`D%SbkDHWE1e404UTc0T_qPijGBrIFDkfAPCDpBy<_Q z{a%G#c#p8EK(8SB&cThon_KSZ*G1Iq%u>sd>HLMg>(XzR-v{2{xM2r&KRnMXes{pJ zeNnql?`5NsH}|`L$CP+HCzPt)joe-hd?_lRU z^W*$?KN4;*Jri-^Mi@h)&Nfp@N0;`~$D1l;RT2+$W&Au^I!~d&Kljzy^oyDd&qi7m zv_pVX+~f4qgeDa>JrAR3hb3xwiAG?doZ))Ifx^L-1rADHj#Hk5Fd#xM=*l`#8QvSd zSo!S6YzfOl7qCmRbEJeqPEYl_*IWlp9#rqcF~00{r&I1ecKtqTozl|_v2_iaT(Aw z2PY1DBNwqDfN&!qO$?XYOOqji@~C$Yd56zRI*J07^8xEzD8|0gvA{ZEgdPgR6+{jg*RC#zq=st$w@Ne;W9!8n zzxdFm!V%e$2--KN)K1AXJiXl?*3sogBz$g|uXHGUbN>(d^q=T2cC6p@{>>}nh!o}{ zMpeY#5GIprO9AAQix3Of2ESlv(7FMcU#OOmA(UNzP0@ z2Cicz(G{!%Jmj>wlTSH7#~~ct-h=KVpO>h33O^6KLf{jZu;7=1&Kx7k37Wf4_cUthmW&Sa_XHxrRdE+Aeq-DiGw?6rb|T=Bx5?6O~P z-8)fjPYyA;TWe9!NcL0!47ey3u0aDW4S|-MM#cX-Xo_lxMIf@2(s$Es!h{NJ}sfr{l5#VZXckwm~lsIb3~RUTkmZ; zepl+C23Gsl&GkL=7d|7(L)-tj$Rmq<9z5&;e$ZMQ0F}egbO>y80u}_Gdf1Icw-P`U zGb3HOc2$=5uU`}&y1}JKi56Z`T$L)v+LYSyTB@sNcpkpkN9Ee`rtuY_aN5Y@czfK{ zn$mHfvU27%iTVBrX(jFSprb(NMy?Tw&47xC>%>S2EK#Zea?!tqu_hTxo^$NMoV@a# zr3s@Ike9es9&00dFD@J%b}QP5Fy-~E@)IVZL=kq;qeY{^XbwmUHa@M$f;RiKp%6aa zVC+MlTK5SvZb9AWBrF9i#|rq1(JO5kkFK8+lNA}!trQKAUSP(29%~-hD&P6bDcuMS zvXOfDB(QAc1-A)San#8Z)Jg+R9m`6|NCMB2&VDnsyD-sw*D+4<&L2pfLk)9GLSqmpMqNmZ;AI4s%`z!JJb--@zh?iM*EsIUQ7zc_Qn? zY_nu5=)R%!L1sYr2>NkN(Mc>C0iZ*W@iBEsAcy*}PQ-4Y(*dANn>t=g9&xb$e2L1n z)%oXDyF7cz+cAj-zaas1$z-%WEo{?sjDiJZS-{^FFW+6zT4v9fkXq0dR;d)`BTlG=nG>HK765 zDfzafuvIc`3<=FMin?LSfl|X^?s>8##HrJBU(|;3*)e3rR~6s-Z*&P-{G@GA1t)22x8_ zDN_9{Wpn~q$yPJ-#K(9XjFnD}B4D%#5MNcF%J@ek<~pEr<)Q4bvwQN%l!vEz4m^3LxP!K=TbT>!6kICnP@f`@Z=fCFjS z(PAG)GvN6xZIYBmhx6TbJfr6)m4PDVgUgt;Tcr3;s%)TOb(B5g*Xx=PQbGZM{I@D zXrd@VfXP1$E&-9vGY85D8_iQS zrDt7#3Ez8iCmN{oVKJBaCkY(7_(pF@wM2k?oOwa6`mS}6loRBoAssGO`BWV&q70}v zeAuON5t;e5O<}b%I$irot#a_{i3Kr8A$zhV-emD=_6B`5>Z@{1U)E(P$Sn0~+s@q& zUyPlp?ePigc#?}?*0?%#IGMRTDd!kR=%FxL6|>>I(R zl()RwE0ad&6W#~P^9;&vQzP4898O6}6OAXqUlonO%@!H4G{Npav5Xx$`>6v5(!#-& z2H5+9b19{Q4)vX-xrzK!d*f(`uh{0puu=5om&UN|7-uy+?mAqGwyGaL+z`eW%pN3| z;&pJ0m>aNe`F8&hD-kwhZM&gQzcPH^QE_X}A*1632b2suFuu=KEv9S63KotG4vr zrT{Vn?ka!)6q=5b1{*avn*%%CY0C@`A2Ve&B^Y%PgY;P*elTz?>cX4QaAbp3Z-8DF==NyUCvV&kFe51S_7 zuU52NL|mBv6WoyJpCu-yf_CbhZ zh25Kpn`-KA8>$>0eB*zfLRKwn7LwQpKAs4Dv1d5iBef zC22X=f|xxqcaE&WyJsi-HLv`7x%G6B-L@n>&eYg)4(>{yr7v)oo?QI-5I0>W1EZWzq{C<=J{jYy;@tj)f0O>Y^4qE zHY`3GEIaJky02#O*;v^Xk>{=Cy&4uL_$YM&P*op)&Q2*;%W+~Q+Y}09&kp+`w1Eqb zBFg%(l;#sNcF2>dqtWhdl8Qg9xs?#pFYMzI%;_UP|Q@*i&f1YWT-I3i%=)|DTH5pA(x6D5(KPN~4f!I?TXv)7ScnSB0X{9EmVY= z>I8m}@03Djnna@gfzk~r{OHDy?mU!&K9OFo@^p7=84aJSS?#>*r048FI; z9}WKEe>Sj~&G&s~uH`<)W7d`HxtMIl6GghUt+IWb6sJL{u?{!;x$8XIfU#0tBO1KZ zmltpUd|-R{Uph6he=)-6GIQYcy$Nk|kL=NM;6Eost{Hd8q?m+QXn>%Q)1(*0pk3=}kikdnaYxk_{f zB(l}{N%~B%`*~NzG?l;9EXiXFHw*P{aA_ynYfJYOWdH6voS>&=)(cTKl8W$_bWiHq zlkI*@+hlWAq+aNf{D=M!UJ3}jWPd-X-U9H&iWT{G zKChD!P3BCC$s4|)sG*-0{sgptTLjk`2rVuMm@nb<7|&l1Gcu_7bT?hU;O)Ufz7A98XqwK%0dOseE5A*4O974qM3WAHSqL6;Q6(@} zKSc@}`T%t>niz>`u5}{MWnTNneAxDtVGQzbP}!_x^^A7hxKOQm#FAm0?qa$+enF@+ z837&5A8#|6YBLc{{B2Kg2SQt<^WKWYn8q(dP4Mewv4uU9dX8ZCR|vH_SnJIY`(I14 z4B`5GgPN>q)Ng!f)p8S3JInyI25s+f8qc{O^H*cnRb>Vv&^oh`heAuoE)RhgXt(w% zV6{&`RWL6>Z8QTBuTLwLxEz~(9(x9tuhCDYSy-&Oa3D!p(UP%aLGCuWHTb=9v(A*P zCCjW>QK1!VY}WwTjL42Dz2$3RBybjRe+6aDDiqz@rH5ucGm{~I+r6oJ$R?MfX@)$3 zG^sXvnbSPpOrhJIa6gvapV?@#*-LdZeJt;OHYe*;an&>P`lQL`9=aCJfQF7^(y0nt zoQAFpT&#JbHTX0n7f^kSj-_`6#KHS)0+nbP~X?UWrJT+ZO; zwQ+s^<5uJm5MQo${G}Btd1cGPZAi(SkSiv5TQepqk@*A#jsQtOTH`?OT?+jjG%bNK z-8|tpPQxv==be`{F_un6xXTM~qfUpZ zceMIJV1Xe}fEOGL0kCn2CEV4YP&BOzs+$ZEqDo&PPut&iIh4onrrTKoH05>~TDk8X zEcKg;w~+Rr^c$885%N44q={R!zv{WRaC9CI1~myp2CZ#zu~O z(;jIU7xQ_GP^(_5OKLSk)qPf~N>X!;`_QG1+9x%!WmZ+A1Ldi<%^mAb+z97C%)Q9l zw(iM5dif*gR|iHPFBt)S*To-a016UGrlMsMRL(zO3GVrbgRL+cDhHy#4+8w7a;^|p zN0b<|&u6%lUoaYKp$DYk7ELyy5FL#7Qc~-CEu88g;8A62Xz($6qld1efjs&z# zfnFEJC|H2D8en;J$;xQT296kL6N%fzV7?-~EU@c@d*rfYbFJ?7hvb~5avtM?v#HCJ z!^gUSf%^?Ly*{Va)X7wN%3-d*yE!4x;})AipHSxfUC%0n<58}mh{WDkj=PlSFVsu~ zUh){cbR3y{4QBGS%A34z?OK!&JRKwLfb?aSyM20=nE-9M=Xkr`9^B;XkhEmsSKS8J zJq7_gcqs_rG!K3QBKaGX!T9BnIzi=JpXlJC!{N+(x2^R2;xqNk=`AH}DV$iqGHY|2 zMn!zKryr|z4@8_f&75|<8-5}-oG@a+t^hAAAP6gEh`wl!LO%+8jS`UH^uv&cOz3i1 zIozwLPP9$o`V$d=b)o>f4&f9y)Z(RngU)G-)%JJ1B14pPnz6g1J&hjrWLfn2pGBIJ z&+d$gK)_oNgRnIG_^S>13x+>Pf{et6C)<3Ri*INos)WjTsDy(%dfNgGCe@1IYoUG1 zCWlDHi9oD6~JF%q})CxLR%skm~0UIqw zc&6vB!~OKOd-cl_kBoYyrQmS#;&kfM$S~{t9GrLnt_sgJCn@Jb97V#=55TDx7MDQH zQ$;X71fxb6&w-I06kD)RN?~<#eq=U-k%S3y|?)Q^ils5B-QQ!y{;V%bHk9ix=j@SmlXL|sOuz@w|rb-DCt78hMIBI46 z;r4}bQ%2+`xpoV@vkz25b~R7dUdUy;=d_dzg;#Fa!YG1r3p|VwKHOrPe)Q^VKNjbe zPW)}Rp4B^VBAD5ZpbO^LQT7!w1PIZ6!Git?zQ z9bXN$1XRf@IA>5_>@<(%8#luNM2K| z+U^6Vg&z#!i3zP}L*m<%)_PH@%A8{lo)Vp$=P@Pw(|hsL8jS9`YEGUJoAWBsFnD zI^vP;YkNUo5Qy$UUi!blEDCFD5bo+8xmsS?+m{x^Dd%+TA8dZmB%WUR8}C_%&3Bt+ zro|u-x%muWL<07MfU(g13`kZkf}IUT%!U7mGy^GnyOL7B?0xythJC(N8qI)x38IWd z55Wh`S8%}{ER8TfeNpRHg02rrTt7E#p5B6##m5GcpRw@zv%|j?4HfcYptTpIRmWcZ z4xBJhgT~xORH{&vrlT8OU`>gxDK)6(vCXy$NUWK;J>d~|&mcwi{5fx>_5t1P3C~3y z>P0waeDh^(uZ1V`w@3b&<(4~dB7n`iT93ZAeD<0D3;YGYAi~t36eJF8N-R)ZG*RAy zzJ^BijGcptJ@0Y)rt>=bmfq*}=g`xO-S_t9;CElsQq?kI34*Be{t~_z_H70n6iP(R z-1eRg(`NX0^710(sqF}=q*u_Gj2}17?jlQT`&I;@!*Z0dJUBerB5+l9VDLoU|L1zf zRz>8cn;|HjV=oDYSIdZ@cc(QgfV+>23XCanE)DC{Q=)Gupbrt0?b7eLICQ$w+L&<; zRzJ0he8cR8u`@~TnSu8!>YeZ8gk0U@*T;Fe`$C7?@I}9aF4-uo1V9nwrx11u!BVLL zKNSsB{fY3ml>Fva=Ws>Evw27N-|X05(4P~8plVlTt{0xNZikjYUtNQ034jLJq$$v4 z0KRAgm>!zKVhO(tV5hE=01rd3j6L%8(Ta-wYWGC~Af*)*N59^f!<>#3LDp3e=ZV-w zFU+w$X;R*_>Tpv2W|Y08H4ueG;_yCm0spCIT>pswsL%(t*D1}yE3+&}M@+tUHONl! z-Jw!cBT3fGn~C2V&y(vKdQ&-+mO%)$SigK)H&OuK9VAmXX)K^NTS^SKcNUVGnGebh z273;SE>rAYu^%BSgljHY>Y@pDAZWnKsgz(Rm5chR=q?8?9cv5!MC-F(UcJ=0tA>i1q%edt z8J#SaZQZK+INlK=s<1Hn&4y{pNK@FTWPi-a z(I@|HV88tj>yW?Yt=Pd~c^|EobuWr{Qq`LAa@pnbT#f#h7aT1Q`X#T3tnpj>;@QZG zcrMMHRPq|8?WST~KBNL%35F7sHV6Pt0-F-E?gf8OD6q&f_6U}oj43}M&ng_pk7EkX)4htA)b$U^!L1?X<3} z*b*a=kkG&8j1}(${!RLb!sqLANra!&1Bho0^uE!|mLaQz1ANW?&6kApGbg|##g4IKpn+}y^Ox;7Rx0JY)Y&9x( z`%d8zCZec1UK{RTbkiX9&E8R^+oQ0j-=Ab!g8J-%!4smagv#F-{20nI!j_NJzm+z9 zG^#ctWl6o8<^n6=@f3keAOsJZ|AU4UqN%L1;hND@fne7eH@gOXgA2DOIkVPZdyOdP^8l-Le#kQKIKoNyeDmlq z(qT`qYJ>;(Tujte{nHQHHL~~AMS-HHYy`j+pA@JW3RIP>9$+z2{Q3f60-a)0M@vd{5hcz}$?|P2|#U_8{>$O12 z@V#)p|G6mBY8#?yz#L2L-IPkIW8gNZ}ZAvc8#u8M-8c7Shxg35Mkw@7uIrm>$5fOwsD9-ueA29;^-h)lw~=SXQR0 z8TC^CYZO_ewky96LS*U1cN*Rqu&$h&e|ZE!MoH<@x!(zi0s5AxN6Gi8wr3 zjr&ekeM@z1{7olJd-grpbt|(%>qv-v_d`4S zx~$YdD#gTSIO(E|jnTyaoq${0M=3Z8np#W3?;TlvK| z1>S~;f*)Obv-A6trSF>6d;0y~<9?rpyr_5R-VYo3fEjNrp(fHc)Ju?%_F4i)F#Ov< z0C%ChBOo@kIHsHQxXtuSh)%n37O>51RDFY_D3ImCb!z^KwO|r0sDj%>f;Q}uIxmQG zvF&RuSdZDN;GN$)cRnTRGPKF7Hh^~qcO4D7L~x3n5=V&9AXJH$=iGTb;8K1+n0YY? z>MiUyl1=2g<}z&>Cln?Bnq#FJ2j10l*YT7a-zwk;lU~R|=jwuK!`4%gIJqaI1PG!Sx!j_Lxa4ATtgC1 zK2_l#tac);HtR-tQ2|mS@3h+fgr{7Qy(SxMB9F6GTX0$ZlH#oq?XTMW`tJ1sMGuHA zY!NQA(Zr{w;J>9&r{#VT6WElc)~vZp2KVl z{PJlbtGWIa*~_gSX6v0ImlhJ8j|Mhe_qQx7^<3Yxxxn%EKi%=u4*;pSNXnC`}l6k_E zrNZ9Ixod|Xsek^0R2m}xI}~5xIMRukn@-%1>^eAW3Kyb`F3Mw_Np=6_G2sC`Hs5Ef z7s^|B_-=$Xk_$ESviUH}zvig%2bkGDEY~{~QChe~$YcovyX+SJG+dWBy7q>vPjYF6 zhUIbvQ%ltzsJoX92#mU|ZFxfYr4G^#q{X2SmJUvo0Zy1Q1ruH#|_vpeStS5bcRu?!or zS1Z*ye_k_=@E`WhJRYk3|Kmq4T9msGEy!)Tm};~rUw4?cNt-m5gd$3XN_EL@l%lM+ ztf`Agj3ueG*^-duUS%z}>{-JY%MfOM=bTxL>Kfng4^JF=CU<` zb6GwUI2Rd`+O8?gIxi%5{3PE2_KeIj2rJH6i^UXOX#@Onxsa5&b}0mD*D+%iXStT@ zRl)*U&S(WvdpF9mCnY_&=7+}eKSzH|)ukpyAE8=mcRMFNW|mIhr~>lVW_9hiTFXYe zP4_(`YA{>J{Q`UKeKg?OS)w80ZmTxbIdpF9l2(*guh_AF?t16H9pnMrat?>MO|49W z+tea*!@@m^uIrbNGjbAf=7Iqm^1Q;DXUIaEl3oSn_W>c|4B-2cq##zw)=m0DbvIW>}dAs13i#W=%d$ndY6KYM1A zE5xzd&sQ&3Z&il1weo(U1HNWJ{D|SacI|2ALQLgh()?C?DElcRk-u~Ao@-i&rEM2F zI}koHF!Ic6k;h`zHQ3XrB`1NWanKnjEpZ{F;asu$&f^=*;SH*Z${83%3crr5MgcElu+}e&H?YBLwY`hD^nhL5KTb)P1#Vyg!;9n zGFKmOn~5$&hC`Y#=LpmPsm}$EolL@ta|u=(UPNgBs;Pvrj13rNK&D$GTeZl~mjp_r z>J-o!(Cu4Pl~Sonm2xA>eb#gVGZy{Fg|LR#Q7W&Hh9`LN4Q+Fmzw?&hV zZQHhO+qP}9W7|$Twr$(CZTtD&^B+!K)_sjpW3Rd94&72FvT`O^$XI{LJ5yHdHIlf` z`;2B1LW5a@AW;76F13rVA;$zZOCGzFG7%Q=?QeF`_OGbHQAE(zP%sHhYKvNdfNuS6 z!#XaEb)+Fdeg2!0i_L^SZNn>$_a#YTS7f8V%teBq zc{ZxHU6Z2kQ~!nj_553Nt<&jx_`ZSc#s8WwPGY`)B&C+l2R+cs9Ta=AT_a%N!Y-HF z=WqBuvyIOpcY5xXlbh57QU_Tg2PN!ylX`dwOA?h{2YUd$5q;KhX|&+yAZBDxZET+^ zZ-q+La|G4W=acpjqi%OGmyikO@+15H4G4vxjzBo)ZgC|3^1s?TtW9;I0` zJ2m0ImRBvWJsqpEUw5|?{0{QC5;%ENtB3LuKihJH+!3q=Gs>QuO_uH*cMVIn=I+2P z+pZks#>t^@;W5{XDLqkTys~e}3>-298>q@`{dAkxaj@2AjUwan5-Ph*O}z9E1o+blKT?{!HYX^F22ER7xaK2vMkdHS*R>gRK$YNp9KFxYZtFT66x zsJWn|2W0&_OXqm*%al`=0@ugjBR33sJM-7#AbaQ&(W9E3Gp{gHe<6#UdiR+x^PD~< zx#H`lFRjqzOHPSsUPi>FqYDz7erP*^hAd#3TJwUaE-XT1Qf|{yWQqp9C@%ZS9AjsT zTN)I2{vjsXQ(xpKL!5*Csx9-zv@pBu4sgA>qgmG`y731mT?r8uh>g+HMS;ZvRPN*i zZEJ^Imze5L_xvCvV2)^NnGT_f$9I*l;u^VWCa1}{IVlB}Qa_KtdMgcIR?>UXqLRWf zt|qIRtfqQHP&!LFo6QY^r*3-PH4_+Hzdh1Mrar}bOBjtds+^v4Vh;I6XF9nrwy8i~N;vkF?m0e{B?Z8B5PVo@&|=n z*48lu`PelQg`%~Ak1(Q#NZW*t7+DZuEs?TKAfbu&)@g>n5ec{s(?9&b#I~mVEs$(Y zEe{n9sn{$Kptyj2=0-FtBkUniOuVq&{>QC;nATRN(r8frECp+7$Rf!9e^Nta7Y zl*=|+Lh336HW^J;_36xL#t3`1IRtaT6UA58TYkS-adH!6U6_0S0F9~d{UKKCFCICh zIRVA1WP5$B1wTIAueO{kl`ZMhJ7+tidoj)ORXchIXFf}a+DKqp#RACC2-RBCGz$v{ zt&RcZSYQx|c#TfX&mkH6FjTb1n$)f__FF*NbI&%E2)MHfpAyu^qMjJrYIu@^* z_wF)RxW{>_5~XV+`!r)BkkYe+l0lZt9=Z494r$1@8p}s|%b4$4pecd1FHYq%BiL{p z9tCDW4;}rD*nkm%rdcySs?OxN>@&6&j8s*PAGTaF`nP~14B2VcV}EYpMdfa8E+6EI zy8C3Vu=4!hx8Obh=|X1TLsc;3DKtTv7Rm$B?3!&?6$~ z3Y0B{ByBqIHGU)f1sB5&)^fb!inU*)N7d7M1%+E3MC1MgGk(#4VaU^!WG7X68l|un}9R zRNAbxUXj!`pqzvplVZu8pqyEFxg795!V^9;3DpH>CyTr<^T)n2f{IPl_UOmx1mjmk z#rq8{bJ0|`^6+MVZleXgZX%81f-bVl9%1RgP}RDRou{s(oL8;H;&T4wiB=#fJfx5U zIX0Fm^`FC9Yq}_gGE0p+#jefFW-R9liWTI)yYeo3eBqDovj^hVL9O>}knM}^M9=ZTdY-pQVxv9>{{`_U?z#-50SDM9}lk&m-K|=6#o*>2q)l4RVrd1Dbt8c_7X<^jpNvv7f>Rm?jTJN6S&$ z=s_}f>-Q2j`3Kr+L!Yp~B7QcWJqEIaSLE(akCGy7u>R?>X!R5_b|n+}m<_CjSwvLj zQWzT#Pi(OCQhaBn#)$2YW1F3s@web3zl80Gms3%LuE8rQ`1?l)wI;c{37L!u{;Y)X zHt#cb2-SCtAb(3i_)YT`HM2HbXN%HZu7g%6oI?N>n|5*z8?icU0RPtyiRaZT%n}7T zYs63RW?e;W0MBOUUP_u8oKJKvk9^U_08=NeGb4z~{GP8I{KjoD z^dZ|qW>v0#b844>r_hLu^w}ggt)DoKiKL;fykkZ}tfj;!W)@0v0%lj&9*LvZY-Yj$ zvd^%XjSC;Whqz88s7s=#&^N9NvBEoU2Chd0{!on99_1JsO;MyE(T%z*(3ltO2A9=g zx6xL&8~SysT!;G#?fuOZ7F9BN5^p^XzpWRF}Mypm#D z%!E)1HQd>Lc}`8b-SrhIMc!Kt@^{K<$#kC z$=`!Tv_n{P$G=Utlav!n~sj0B#0#|Lxt$J?KPl@1GC_LA%v2w!KctxTQ zxOU%3<@(w1M$(A|$Z?>l`WT$$DMUhIK8|*+o&Jy=KZ}qcL7~UWK3VJu-TWUAT7VdK zyR~5i2^3Tnl**W%FFB~gPkwrsh-Ayr_uxi@<_ z3j%%MFW4^+`bR@wEaL*U<`#NiR2NVLG{L}n#apdmYWmo6e7psT=yIX7A|M5Fklmdw&A%UMWF>&O16l{wwqTd6|H<{C;t2lWX;krvY&$$z+2yS*i%l za0X}n{cQJH>p)fT4pQK{Kvrfsh+Pr9tDFYH~s)1HDtoJ5^zF?wiZPDaR5(yn9!UmnSX^UOIftpNHWx(tnFU>vX80I zE5FJeCXC#*5z=WLUATyh*H;htD4IC{&i6XOtsZp`9>TX|6qrU+Cy8#GiM(AP|LOGp zzmG3W-h=n4>(dcLKm(VVy*I3%m7O`4%V!ptG|W5(C$9S1K?qlxp~JsI6BBEbxSfK? z9V@@fj0>e};3Y7c<(08stDCXC=8eyGIQ26?hSya)w}+h_s)t9L@^{>}c|I{AXZ37};06cwafQ zw>m=|<^|XbZjAp5A}TUE5>jCr`=9l#^-awzu6gOq%#1(hV%2cAurt+i=V~+6VAXij zzq9~bGTUQALkDx1`UZ+a&x0yK25a*>AVlVsCJJNoqVz={KXX%KFDrXUMmNI$OjO@m z4|T{c-!zec)u*~c1}8vnL{XYIIlKUtG|)5c3@m819Bpg_<~bNHY)mz<=ygu@vw+Xn zhwRjFzcfR!1&#f4(?OlapE&Y9Q4-@5!=m(6mtQ?YQ**=j5zQBmnS8O9HFeo)*yku9 z5}MR>^1e$*=uJ)=#0BQYhHqoR;qme5*Cq$LB7-`y8QR#4hzv|FfRfWJATl5n^mn%} z1{Sa`EvLS>J-+Y2pH{!f!t`l(hvDL~*cUZ3Ez4kPVr5ciS!H4PY>Xtq0zv}DB;+l` z5*VD5*pm>OS`+)CK;kqnqX`moZ9w}?43*fBR}zfWQ`DRnJQ8hOC*SJp1z5TUA~E`x z?#Nh_&fLiEWi&QDFnh1EEbD{!5vtNYVb?P>h&v zPVs|Mo1a(Pb-I93r0JM&Q)erYluckvD?WZ5+a1~2aW~l8zPXX8j9-b3^{uYPIMWFwC#f)hdVs2w)1QmMB-%@o zy10<;m5q(PnVIvri@}72TL?IM;yz{CS$$B(@57eN(9;QiU0T(}4RwE~o#tWT)2n4v zZ8N7KBrT>StY1Z9XhFd!!$l{*IdqQpgw0`L^J0m(ylOJnNl!eW87!|WKi@wnv@|sx zF3fCGk^On>pWICX{?L@D+eu0HKxt%`K{eSKtt%@#J6LdHbP0*CQ`6P`9GP5VaRSTJ z6;n~MCgS)1JSY_FA)qG`S{Xgf#BFtQa$R<1=OA~o_W64M3}Kl49N*>hdK)KEp^j9T zi|zXOHw0#6C3rnNY;I#?+O@fKaB#pKPBnbAAwDI|;xAXDq9-;kZ53IjyZ$5tEF3*y z;u)gP*Az^l>y;u{;}-y+`44n#P~X7DhZGSlXGE6UGiP@bZdzk81|93p-;4BcG|=5Lbe%LxVpN!36Bhnq*EK2I8WsCRSg3*4p~IZ$oL_>w2;PtMM_WWHRurv z)&c@D#&TsI5b5e{U0qYczX}Pd{VV^LDgtXnv*+Xza6EVn0|hVtA>Xa0;zO5;@-8AL zBO}}7lmQJPfcShgHZ>-pSo9u;c=fM`4Sw92Set+r)KiqfFUJlWspP$#lR{z) z>@kzPpz+)?bar=2rfMPU>nm?x#c&5Y0gQF2WsX{05h$AV5BLr_GdMfDX<)pGpNh)X zyC|i-q9q_VZFTV(YWI3O2c}1D4JvpxH37m($XgxEHn`;C_ALg*$LDK2I=r)yIe^*s zn=z@Lj{yRLNnrWDUHQ0e9uhs!d8O6e!~arvhbzM49W9Mr-(CTM`S)`aq+^%w*5-LL zJ8Ltq(qpgJ*GK>uJKeT~CaGhCBOMR~L`EZU*za1iYLB zgRcVcx|`D)3pUy=y$iWpT;-`rl0=j}Hyk7?SOMH)l40m{P*9!lMHlxoAv<&X{9}0S z?L_PQ`+JmG3mPSQS|H^15=ZMo`XfEZh{yV;5fW0PD&IxR+E7+V$lj}m$JR;Xco9iY z2n*ajYo2in2rBYSNlElYkGjy^Zt&oakcHY+Ltc1j2e1%dwpKlBR#JmRJDqBacFK8ILNAq-LYWun`+iG+G9+)zc2 zH^ip_Gwk1trVjoaY4y3OuH&_%@`@ky*4@kujKlmc*4mjT9d$O7D*y2@ror`wQtFc3 zE%?8$Ca7^NL5JIFL!2r-aHuyO$eNWW{ZjO&y&CCs=!%@>Bl?=)S zM-TYnuM(@I(ClQE(`SvZnf**Iz9&Yk8#`G4Fpo8{HYaBm*?Lg$Aggw2h7Dxj3v}n&VC)>a4D7;^$Re)aJuog4kec z`xvBm2CLPzQb7Tyr0{5(fQd$uy*f`!BgEZ&ujdjR5unqTHV~sKMx$yNnZrf)R^Dys zCMTX@SCAK#UNNRkxiliM6}!1%Ir&GAWhB6m>C;^Kb@u6$3M#a+Wf6KhV=UcFSp{8SymBSU<88SttL1uOy4Gob7 z^sSScqNK$g%R%zB2UF^Od^9W(j5RhgkxfV|ixYRHJnr9TJuVMnzaq;f;crplXB9Ug_};CT699gEPe|j(htCoz&8MaLB#Nax(3ZE)ya0#f^?a?ja%v{;<7< zm_HE`O*lDq7#czF^RNN)xx&L|$;vfsijXZ?OeNWLcI^IS1Wv|5Li4@Sg->VYy&(9? z$Pa5HAtJsv=q~h${Y6xvChsmPB@bAH8F@|i_tIM!lRu<5r5GBC`CL9rNu=@E_)&vwIcUA#<$0w z#q24^xF88(M)lOguI)NjNu@ z)y3YWW$nu1@rj)cQz?6SQ~57_4T}#}fR?u5jBlBfK@dxG8!6n1oTd;}uDN+wT?=y1 z*StP!znv3KXRMnFZx^kK^;}KDMz|>{muJAAffjmNbWZHY(= z!QU!QICjXGNv81pkC3j;&fY)svKft*y~?ig@94FA45Bxnpb@hl704Mcn~`q+=5uD^ zVwE~uDmT|CWiHxD_XA3c=zWD3MH%!+e;oTr@S7uo4|3`2$YFGtz5RcG_!a{-$~dso zru7YZ%f8_i8#XYeYuDTNvMi;1YKtp*NYwqi(WkFQZ`CFQU!+?njQU2T~xpcyH zwft7r5XI5_Dou+8h1}S|+Tf3MSn~!g>t(;F^3F8am5L9uPCRep;Mplx=^nVv@JFhw z!4+)iKMe{G_f7;QA)g@o3LhgIH&AefWWu+LbbQ>F6$(LVloK57Ni)oGXgFQ3$f~L3 z=A@7TgAg@17P$z^()*;x-O|(Nj~e~ig5ye>o%@ec^&&P@8)9f}lcCL?no`pGk925i zx`-S!ZWXp8ltOO_jap5=i(&8-yF5Hf$?Xg0*TpMg!-#ftcDA1L^b^wot~LnZprLE+ zY{;LP7$?kZC_F1&Lfr&$VgGEe-&beWlc=fYUb11W&0!DIS5zGiQWqD0U*%eVO(w6r z0%e>FsYLo`1FcYnz4Zl!c_KW6ZqSnIlO;0B0B)rf<9o*%s$JxPK5rr@gSg)}XZz>M zU~Fs*0RdilaHvjHHYQG@&GYI0k@*ctzWvOek5`h|*}j3gisra4z}EFQi;;<$_xhpy z*WEH?(&C$Hwp40n{8ZGQj5FdXsN;KULrO?UXnPADUx7F1zWHXzpH@-oS7bwdl>p>u z%zbO?q=SJ4T2M|;PfN~Dv0#V>QSauMu`H?0=d$=jTuI0X@W|sygv6MWR`9G+4kygF z!N)c*>3M^?u1=fLV;x{%u#KrmwBEtsJ&1@#d9D&$9~DIc7q*0c)};_HE}=N*?_aKQ zIIj0i$ah>i1A$k?nZ&)mr`((~SD*Ti&*`iMHIsqgk2#8}QFKRuGs7x~_cN-GWTS3d za%kx3r}mUZ*edqb4u5NTIb{kXEihGr%V2Tn?H^KUP8M4TFf-7R-RXxPfB5!#aBygO z`P>FYmDFt*okAMZg67tnkl?-ddowHRe!OW!f{T2DKP5;YUG>NBNZBS2PiLM=Yk2y{ zjOY6hi5c`>AG`EX*vK$r zJ_43gu;q2y*Mz2_fd_t*n3JxLX&m`D-|T-{mPbs*Hcv;qJVfD+yg`VO9$Po%B&mP< zwq8vCjgPm{OfTH>ZiPh{=2A*%@dfFnKbCwg%-5rBSXtZk*-^ICEfk%ps9}tZsD_5d zzL}nvm)qN=zMZzMEjwRK3VQF{B{o`H+qUR~f*x~soSYVVf`&NT3Fzlo_fLN z7s;{yNZ2&@<^D}=5{0y24ftnHWO49`ZOmsuWOfNp&hpHxbqtG(@2rAZVY${f(s3k% z*nj++E|qWKa}8Mj)t}a%3)R;~0AgGu{LJJqoG1Rwzj*`vpyx-1CjZ>Ey>DFNTTc>m z?%|&IeRzM>CJ(WvfDR?tMOON)*LfOnU}&C6{mJEX?^X)JM621e%(IhYqT9$YX{gM7{M{byqarrXhIhkVn8ev?6(yjYj z);*@=sp^oEHNdL>)Bf}`)GCG2Y?M%HveO+kTeI*CTDQ26g+$6nGliOmuAw6h$B%yN zFD~KLF{YTeP6+Wc8mM!1tJR?g3;c{VX%>8)E(g^co(C~jsqg``P8!D%Vf;|g)1ej|;~wo$ zVM8hPsyBRMW>0t6m7M|{x(EUCSQ!br^R=(vftr6xw-W|ohdM8d_&nX4vICAo!5`04jO$QIj9E2u=b#|u%RV15=B80ZdQX7o20&H02#+~R*$f7lo^TbobgC#(B;1XpX@Iafi64`m!5rv{ zk9gU1OqC%LWZ%Joh&#m+GB|04&YGCz&}=P`wy4o?e9!})Y#O5y=C_!(zBK2^HsCA) zCRWIpthcabA0=j*rz<$#ee)G>_iRE4s>n_ecq-!tNyzNq( zhoZG-yB#jyJV>|jK0{JGx(@!bPsepRoc-eU&%2|&y%Ana%$*Qb~|T44-TtKK!?QtFfab>8aV>0PHl6CR%XRe+}%^M1&&xD zs#+Sv!+>M*C41-TD6(|sAq7Fi@suEYwp(5xPb$GEu&Y2dy8jhLx5dbQ>IJe!UOe$4 zvR#U^>!2Zx^gdeG-|lxAJHkkBc%JOuJ*}5+NjM0e<^P+dio#)Sns63n(vqUxGD$$_ z{8z{&euXSZJldmoeCgoUx#!{|Hv~&V&)Jjd?H2jWM~pzAt_TMe^A}!hHbT|7WY>VEY zy9PF4R|<7YR+M!M`;B%gF3ry$;vbmq_!Uo_iJ>=~ix-1@vN?D|otR$3P9)UAJ?vGw z7}|P--vpE?rZVinsKSi6XtKUZY6}S8dz(hCfT(Atl~wb zwa1S6q=ylX@D4cJ-N2=7cj=i8+gOx(BE{)vp8@9vH1fhVx$B4bqO)l6P%;SoM(J}k zMaUZQm*y3?_ft6$S^>8=Go;< zBl>X@=i56+_)L7~b$LQdq@srv`@7meOgIxOu?Mkcw>rXXK@1wAR7UMPA(va?jIv1w zE}wbei7sy9GwaOsdo{W%z6VUq*I!-)y22$(3Vlg~9Y4FY?jxL0VqE-;4=B$4JVE>q zL#W4TVF-iPxVedL6?ba_8qYrW_d1WiGts*6ofyN$Nvq_VN1ChQp0v!32=)+-Z$o^E z(8#~ay<~RiNS%HUtcr&lLAK*%AS-L(xd25JNxgFA+Qm${PS#y|&gDz0iVtcd0@I^u zv}7hi%-)L`uvc0(d=Rn`se7gfSNxcI*PC3sf5h+{-MT18hm{}8r1t+w9HTzk_wmyP ztt`rcB?-J2l*3EOiMQ?MB^!BldTSV=4%T*1zd(}s8`!u1ws25--nmg%+Y!unGjT8j zLjmvL6_vRN*3n+LzoX1zB&f_Q6oLRKCT@q(T_q#Pj>UQl6hdGXRCmm zAC5b44ac2k9*_x%jVq65N{1G4Xit!pc%`fSP&EJN@`^$b{Crfn>Ij6~Z8Z9*A+uw< z%-s!;wwry`0T^P^O^I2*MkJar-C@v8gQ52Z;TYA5HABQsM9QF;NOh9kPMJtVSCSIF z2M_-k4J&F%lO(vxHm!6g|1->+;7{V_UJ^*ilD$S0J+#D4aq&F87fh1c2Lct0dMpJa zb2VVXBV>!~dwlRKGeFpj$gEaL=QEniTyK5g^=556U=l9@_IxhPZ`F0m&BgD6ru}}# ziT6?VQqD{~2)9%m^Z{*`E|NCtdTTT0;#w|l_E1sFH~pw&TyNF--=lc|?wPx6A)Cs5cmd`%uAdV9bYUee-c%vAk ziV=1e1f!6<6dfAetKzx7shNkpOt5~E<_xoP)ir?@zbuB@Tm6hm^T8EsO(0 zIDq6d09w`*K$9^({I0>6coOi3yb%CJ-dGP{`S0pmp|k1x->tJi8E z2}E}ME4Vm3gPOhv8iPXLD@u&5XpC(i^$$HW;?Ey!1I=%^RNo4k(sA+UuB;4ViUpdY z51IP(^#3ZS*L{9tvcvD6!=leLDgLWTO>InytbZ)$r=X%2X|T9J{F{)!e-zH&1fb}O z(*K)8hM9Z!!9J)!s>`c$qoWhUql!3TwECXtJSvyBV zWnRLgbF2HzwNS&z|H)Rnx6w2o8)nG=X=WIjnq+j#{yU*1!$Pbgna!fJ?=T}B-gt-f#*5wqQbFW?*y zNMJ3=gkVQDOpGwGC)qgb*UM}!mH1W6$BK?Q3SuXvAGZwCQm3ps6uZVh7gsvF=z5;f zmL#f-%mp_vy=Zz?mT}&%CoV{{*u;8`>_~6pZKCY+m&MQdU@-6_cg^Ck*w(Bj(m12owAoj=d^fuCKSqc4+&0CEKvwUGyNQ)cN6=E_1ZQ@$fX9o0P65x*Yc^m;VKaEsLvzUz9;q5UknaPvoZfL0K?%j2}WV2Lyy8Z$>0$gd>mArPJ476 zWf*S_>Uj+n9?!!84~abiuXzPG@8}ql8k}!qT!awPN&XGh`W3OuCgUQ-J?*{3qY?N# zxFPiipK(^z`p=^68WZ_T@Jw5!&eh$@ICL&=i~WuKwHVA8Wd~LCa=ujW1#{HmvZDev zIa#)dU*iLa(zL|Az+0-#+O7HDDs`Nd26@`Fq00nV#9?q|7E>Ho81_~t%c^ZhhpH;s z(wU{ocHsXgZyIyq*d)Qv@XpuON?bbuC=%p-^pkT`nlSX0N|Hfor)x*Uadxz@y3;_Ki8AQ>3Q zn_5w=>cBiG!-=itS73g9)e0qsj(qYA0Q5kP50E6WT9to^91AMu>5V%l9__AsSPt>?+?~9#37UR-}uZ*EB-%i`(lvW zyZVrtSs~{z5HPC=nyXXNgClI_QDhRQgq3)edwo8a98|wnqXmONBiTWKE?ot>0Yt$J zAtFsVk}6_Z_}q4Y=QJo8~)_LZdFJ8MUJeb2>s+B&r*AhE1cxMk_<>3&h%$BAl*wm zolvwjo-`t8-7t3v)vpO#!Y2fA(yo~rN<>c;Q{7om{W1ymAsUq^5C)yv(ig!M)ZaW~ zKPpvZijks>ZflIskB$!gL#Xj_xFSxoKPrhX1nBNMRDo?8+Rc2u1Gh7HFL=g2xrPtA z4JqW~IFWgcVLl`Hb)!%2I1hHIqzBw(s}K8`WkrR1y{EMOXDMICtzD|A1@Lf{;4-|2ZtnLRqeHMYU>XdcZf4jL=b&x#ufIM$`(8VmdBixnEK)V!ONm9C^PVp>ae-G=3f_r-Q+T`BvDQN7;;9h-|u zrKw4{mqkGRulSYM7G0|DVd+Q%eCAn4S4&Rbz7f7VRKPI&s((LlYGyd(`3Vapw)lf< zU-#T^OpW@nQv#hRfGOx+ons92`lO_-Qwoh)p=Rsyy8KrOj}zg=YdU|X5|6;zD`fLI z9{v15uT350CS{$>L1E|29o4UEiaMTP%P` z>>=AaHFWwZccaHg|Icb6;wu6=dy)PvJZz{nHdh~5Obqf*VhEtb2EPpE3`2p}Mv1{9 zcuA|nc}#3?WdC^2SLl!97;49+jh{+3rnTB6k^f=@%aFT6`uAq%>73yW%p71}k$81c zfr;)&SVw25p9>iJQP{S{6bq2k8MwFIyjgK+2#g}~m93SAS~?;uvF7W4p*~cFm&r<^ zoIZb1YSzon@c=jl*>>vK@^~%}j<9n2QabjKVQjCEMUenyl!bBr95A-7)DT%l;@z}a zuGs0*j+UA@q+Fu{S|Vlc&eC{^uRLd>`*m$Gcu6J3NXB?yq+L^G z{A4f^pLvAzwAN%>0hQT1j#j>GnoKbmDx$IU4&ieYjhz~{ zow;PIOo1QeP4c&X#3oxVY#D=*&QX;Xql#5ClXtGm%X0=>?_M|L?(8{T0l(`cErPO3 zQ`Xm9Mo*pSZOr%t!o1+OkX;jK^fjBOLW;F%QZkYW z+1|7MugL*`G~>$@E6Uz2{bzreE&8d$cbRVVVB{{#W`*!hA?LwOY3`zWWBlnH&C=(| zZ(ZhBb=7bb&&W{8ua$B{_9fIa^?{!j{h2yFz_eppELNdjthVC%G?qbE-pf6Bn^hNp zu$A#$*{^Jf+_hAeaEYkK%5U4WcHcs+W8eB%u5#4Kv{dD1w>90cuBwmOr5kuBTt)@} zD*tqmq(al!vLqYFSWqUwuliLla-(p8^!TJEEat9-VZCRA#9XFTrcD; zQG`KwtZZZo>ph7t6WJ%!3Fp6N+WY2uBbj3<_SO);MMH(ks!1X5unNnMD;UM08GK!P zp{S4ZR|7@AwFqV&?FZ~j&(1+U7eAF@5nTxwA7-gd#ba_Ss*nvy*p3U3BtS^{& z!$Q}cqr+DAx!8v}3uFGwWRV!$E~T-6F}kSDssw+K^Au&iBt;KWwOn6>9BWOl=zm|hgBH>wf`^puS4CStv^QqZ@iCHj!F^XeVNcs z$JmwYO5{pZ+T;?!>Ekc%z}f0bp3Bdtnf04_<%?H z2em=-GU*dH)w&n~au&r{cLMd(T-UQd4G?4;({jb@HcTs>2dp&w>VYKCa{JeJhrc+%Gj) zp;YQU<@;;nwFN{!B9yGbNxa9Ci@d~7MiU4K0j#2CjPtujFswPhSFgG&5(W;86HnLo zYPCvFPiqgz032Vl{~4Ij#U?SR0C8E8F}0BimzZ{*vM^dx$;l~e?UN@7n!9u>-W6|$ zc@JwFENR4QU6d!Gujk%#cf=o+yU9Wyt``Jornn4cgKYYxYs()E$u0>RE;!s?czoTE zp19`E*n!0EXsOU|Hp{#|BTtVQv3qG;5^mIhjDMN<6&`xKebum@N#%k}{?U<(D;T>1 zUO&uAF?y`tY}(De^rKl7rQzX}rSYi&Q+SH@-;SDxE_1cq{DU4~b+TVmk$wCMQ1SH~ z-HVL?@1O5I-B{0$p?i-=*#^KPe@Mu|RL}p8-t|7f4(kd3BUsR2H^x$vq%H>Br9^SU)u)GV*}n#qjgW4^+!X zgyak3Nb!3hEGa^NV0`#`1dSf`4+C6`K4cVuogH0lwZARmG}Y1L0@g>}4;a=N zR&uPE_Jk(S+hIGuG2|-<*9w)NX25{%dBVvXpsBzSdfGiB(&8f0vG9# zf`7;mt6O9Mrs%j#L4kpF6%Dhg;$4x!TPr;kvny9TB@_@IGDlCl7a})5Lg8>dYU(o+95dyH}P|A)hRT z5Zcuo_Xm#Nk}XO`j*{zbo@jc-@w6_KcmJV$pXvnWimZQsnor0PHa#c?f~A^DQcpA@ z9^QC8lEq7=>pD*jMkVx?D4WjMi@5l#(RG}O3ARK-;G|T1XI8CA6*PV)D?c`+u0eeY zO_fR{u59#zZSl<~zcM4-HA2XqUc?`ne7J70V0+Q68jFwkbHz34pl#y*WX0$I$$lzF zgUw@HK-y4Aw(VESqB`l@Q*%M#yXA1qt|Y{65a1iHfuY@#2$(fF51q3|Cc&BxA9Q^Y<~hl&Ec%zRGX#E0sE`L@F+Xz~7YBUd z`HRQT-6h?pu)`&FSf!x|?UmT}h71DB1YgHHmY*l6BlTV8cgznf&3v<%Dw)MeVlEGS z74DR24WxC1a{R@#znB&laKPD?enK^-IUi}Ebb%kdgzaP^e8!RZ3k=kv zdY{F5iYa9}xp0g*x)JtlOCg3>5KvytvrfA0FmhvEJy!z+!!!CsabpOIe zGq&nC9@tjz6q~Hw9N+%Bq>`GMg3|#7<7dG=piCDkRC+^Jni(zO1gxdJh?d9 zhQnkv22k*;rZR7niX-(!g3>qXs%F=u@UbC`yfNP2kvxZj!GyIR{7qRAqUqI3oy>~p zSQC;OLB=5a(!a6Gga}hG4Q%2YqKBAFdDxNy7|d?zMxTSouP}@l=YNE`+;+Ql;&3-j za}{euR-}7A<}G~lf-MR>%?dJHqz}F)kQK|llksuv_OoteFIO6q>*Y%=Z{8enUcM30 z$p(hd{g53B(3ZjJZ$D?FXJdL!l_H_=<6^G4FxM`C{oSNicny1SWks6uxAjp$A*kmA z>S^XXm_@VNHaZq{dM28VV7tGCd_)}v9}Sh1?d6=PE@4O%!k+aTTcsRo7?k42B>z!JLeZ%lc)}+mDw#E#xi-n9`Z6HOv2bMlZb&PP#i;~** zzKtXht%dgyvAC!)OhAEcIVEQCB&d47BgUS!Ol01bF}DtJm27-plO^Py`Yl@>m_slE zc8`N(k?!_wvZwII@WdrRVV%<~a2no82z75KC7&IrnWV|CyKMZ<(xHbxlH{X;HR=bf zYGVB~j6{AA5fd@}TPbP^_MVSgpAxt@R}#2qF&NF#*xwjNF(I=Bn~}B%NE4MimI6-V zMET@8RMQ}LT%=e>AOW9R>zuz^q&!mT2YaJ}LH4gC#A8j>79n0|sa@Lr#4Tn}L;hKy|t;3cB8N z7_4vrOm=7P0xJpq{#SyTkBX&VzO;I-IxbZ`=rnDQXggYT;~Zv)9{RGIM$CzH5Jp|L zKJBT?PPSvv&*2x~;#D7jKG`^NFY{`JAUApr%_gjHIIeH@S#YI;6W3IjC930ZzF`GN z5aqUvhZxBMLfB=4_lEkhXBA?diHE2=*_ABG8R}flmV&RiAO{JS$lJdJf+M?F*>jur zF$lM$!UQ?!J9wyKv8Sh=B-+=U4!8j{usY3%8`!dgL!{t^yYVY@g0_w^qE^F0D0pD+ z!g4p!BuGh=MHSQf{9PT2)$3p}ZzUTgHQ_)S5|wQ0=2m*3VM6$zGofg<&qJp%2*v{eJ<01`gg)qjlUr~AhKK&t z074sF4e>C&h`w74J^`@B#$8)Mncmftw*;#8np608Ak5SITPpK&wQp1SF{82@h7q+F zlzG^-$N3k191oBxGopb}+Sn_ETTfa)5TSSFqlz1=?fVn(*Wua*Ewh|CYXxKCe@ajP zd~elW*&ep`?C!bFU6@_Dgn1(m%ud*^b2QYq`d-}mM}Q5*U{HiPSu0R*m;RwRu&orZ zqx7{#^N0#v%sKHW%V_F%WYfh@aOMH&IPo?jH0+U086OH&(w5WVQAURz9jCZwnl^~2 z6;Ah!XLp7fsEh@0QszJ$ut5yEhV(I@bdkv&0TzWHp7|T$jv{A6$g@WtkUK842HKZ7;h%+xu#VZ8`oC1>=|%*ModD zwxjrAANoPH=K#U3_WOcQO=QvZ*}nC%B0v z`goA?5s4e*yap-Q1RRJG%I@`L085t<6lYmfEMn?(5Ipu_9Vn1h>rj-Ix7VtvCJ`rb zPG)bTe~c0(7ZNu)7`KB)w}ij$^@fC`wtAAwM!K2l6#dFVI4<*Y6RuTs*Won3Ce$i= zLmR56IPST`8r7iU{BTW7j;I1u<8U^B<$r{?543&Mgk!kcDCJlqd z9s~{xUHw=DB|{3@6z0$=5Df7}hL9-kGU7FkOpg>)+|O6OBohoEHA^WsD4To{)SPD8 zK1J^*WI^7I3ZzL(xzu9VEvQH*1czf^X~d8hE+`TzvNVrR;iH%Nx!n296X2o;-cDG!xqgN54(_6I1Sl27?O z#XxV|)5XW`Z|@w;8g(2V!Yq+tCGG&N%9U!nOkMiL!bLtYQAsrfpf2N+1dc@NTqr8 z5wx8Sa!~j~42y*^;Dv?ZVCl=Z;d%NDs!OeZlG`sAaIzyn7W=999f z=F8(#s-1p8MrJ!19QHX;n-#)!ve5Xg`7V%h3mLvJs23vyvn`a!+WV+!=QbhfUfeY% z2=>#>^jWj!$In!ls0Bx73@Cv~$|yrzKGZDf%$-Pjt=#!E6P7=?t>DUPz8tyF!z)*E z!$CTlq}@Q?4Kg}DRs)~01U6a2%Z9G)2xm!Sx6&U1X~i1`o+`#&WmhmR#!7jwIJpeD zOot-mi}xMa81&;Ek)g+PlFdgql=(BnS)qvUKh-Na`k0xiP4`E0&nCu!CLbK7fVyco zeh8i8s8#RK>h~`a%>EeXT3a2g5*FXDL^7q~t*}>ZCt>x4MpAbHMqR?g$)TH(vuaEq zTd=?GU3E<$p2hq0wMnLd?v>%`nBtnM<7&~0BeKi=4OKV|cr}>fHR*|d;OVl!O@-N2 zyB~c)mNVO~^aqm>p=MTi8-mj)12`5rOO&2z#;V5pX;^>w21=QWv5s-tCQ zlcTu;3rlSJG!%jW_7RwVtGQE9t8w#d5WBkKa?NiSmfh6wD_^?DF$Ao8i+G|=ui~q7 z4QCnEtJ(Lcg%!@MlN4oo)dCR#=mc^Vtv@ug>Pjs&%@10o-vINg<5B^&32=cy^nA}( z{9?gBD~R;9fq;44ZOMAwEp{}RCW2-l%+YF#bBwF2`FVT{rxrxgVfVXabbvq7P|p|r z&{zolP%jz@n;+hthEYnBO`6F%Cky*tGISUeShW^dOTPJXyWuTLlQ;)MdWrlt=uZ1^ zu5tWWYLG2jmgH2x5#B?Yf%XvRtZres++4La`puMcVI!3vy?SFTkTS4lw!WzVh1qh9 zs}U*y5xB^nmz|xABgdvi;^SW)IAsfn&wV)}$p$XNMSxmdw#x{fhL_nx6()qw_9K*; z4kZsV{m{f0JBj&ztZpXm8}ZIa@56=#5qLoc%31J=5AuF$jFV_3EvTEVYaeb94i$vg zx@JeuGE}hbgoj3+Q0)DN;=WRz2na@0}XSljp;L<`QyuJbV} z^@+ENPrx9Y$0{n!?qKW<`q14B(DUC=N)!=y!^+ScNC zj2pc=DZFI<7@w2o10m`I4fd>4nbCF+HF-St`wHy`e9*5|e2_PpJy;T-2Wg?9N5S1M z3oCN35GavqK#0BwLd;;v0cUwpzaOabWM4ji=10Nj_y(4-k=YlO7K)#N&7o`!b8sQ- z0E@T`mD59fq2|B%FlumoLbnwt{={8XzNxQ)!I=jQuymuQ9%0;#3j;niGnH1{TpW;G zEc#G-P*C!|D=E%lKaWN%4y-#>5J%iVL^ zkffe|9<(&@3b3B$(B?S>YY`?jkzo`5d;&$*&h#c=>V$4Cax}i9nKnws7>@TWx%pm# zU&4+IPN=W4-r+Hk)cVHk*yoL^8}nLYwsa%B=17~qa_KilaY25lujG0z31 zP9%`ezXS8h7H*iApozJc>HDz{^2w0dKj3DO}hutF?-Bv z>xbpS4xJ`O+h-YgBC;L-U>7}IzNzgg1Akp@!RWdwhw#;507ips)S8bObd~b^-V?rF zrQ7SbH&FgC)C3_I6Ocp*IrRLW-(0h&pNNj0NqJ^!SbKan?NID69tI4%9_~s329t9= zIl-a(12&s?ow4mo-%9(VNzhOgT}-4KdQZw(DBEb!6bMq$NZEuU{|Rg%9;Rp)xp`a2wQYf_ZGcJS^<+^vSFElLQo zf==p9M;T@q6b-mG57tl!9w$;6jX=NmKsgi8&g?GH`XK}>aYA7tFPb!xh-fPnJ1R?m zxrTO8q9BJ{Q#f&PQMyn`h1q^pcPoznSWx7 zO6za$@)*%=jYKBr&fxgrl$xd3!d;*_8T4HsW=&9Md5t`~v;2EnzqKU-$vsQ>UQyL^ zDP3RH6D@a;r$OLynr6_95UZ|2fdsXbw+b~IU)6F~z1dAvB(9d4s6H=IJcTm5#UZ1+ z!(%rP+hH(}a-ls{_}n!^LNf+jhhNnFJk)Mi1E&{Mu-tcgKEo}5_>kubyLa540fs9% zIu8Wucl3c3-q4cmO9@1G$-5tk3^_f>QY*GsDnD}5K?XeK3+jp-@-zd4Zh62d-51g| z4uzWXEGA2!ebGT>%swkJug9D6<_0h*j8J*%+H47xola6>BnDeg!7J+@Og0G@Fz5RE zh{Ff$7fYHfnj1Exf!{Gqknhk0CScu$5@o5m7j zkd6{}da4kFdV#vQ57sNaS{eMf6{W=ZgThUNZvK+OTjk+{X`GN-m!LP59|HrL&FvJ- z{Wh!@0ty}Zi}pP_#$K8%Q(A z1<@r8=$eOU4XbPja{@n!Bp+`3I=T3zFEjW8(j6noGQxd$PNY4#V(uZcHIzEOT0hho zSK6M(V6Yqlmw9w>i*92-h-x0poX3NV3wbRaXm@09HS{P$!G?d)fw>^WDpJSsHNl*k zZJW(vD#`a*+^f0y^U9i4(}Jn8zGvgc%a1P;h0_Or}Y1=C*M!5hwUGx9Qy{jx=n zV&bU_gzZWb9uxXVemc916`AvSfAW0=)y~TB9LhUBmv%m7jPcy7KFDTft;`C6x6HhX zY|c}BxQlXKqBRXea<)iiM;MV9L^0^XVrgX2M?lTDo9xrBE{FqAsSkqQ*?v6TK)qv7 zo^@pGg`;1+%=IWsg=slF07dbElFKoJVzO6SpVSUahB}y*fR1bN)`j#=(V3c?|k0@0i&g{=A-7T<0QmnY#??@DXvFL7?DY zf;CM4be#FW0c*tnn^Wii1zhv{Ao*Y68YZTHO40v$AXtNliR~ZZ8m7M<&H5im^&bRm z*#9M9!|^9z!}3p>{1pcK{|4CnpZs#yzp=!B3bOg%K5ozSPe0!Ee;H)MO2qv7Yh7$a z%xwP)Fb*@re-OrD{;RE-{|Yhwdl-j>fs^s?VVor`4Tr@VbkCX4Cs4wK6c`e^rfTew z8;mI{ZprWFT=?XO>KolyA;OsC)0T_dfUD|Mx%Nxd(sm0v2=4 zwdQ=rJD%~3_nFhj_TP^(_dhlDuQ%V?McDPNo&Lb@`Gof9X8p7WZKkMFW^VgxRH6&s z@;z)4!jS%Xo3L@+c&$u}4o7s?;J6JyH|chc4>x6c+~ z;=3n!9n(6A!{$vI*%NJ7y-&dj>4XW%zCj?zL`e1!t5C9O3U=9}ItW+mg0iQ`Jw=W@lW6 zaU3aBpr?=_(TO`V?m9KvZTs#mVupM8=+q^Bez~lIV~dgXyCt2G0!;al2@OjRJei<| zS6x2Q9h)*!n%L9psT|^N9iVMGeCj;VXAOK-WZf*G)}qCt;1=%2JrtU5)p(<_YR1kn zTh}b9WXqb|txPI|TnBxlPKi0#Rf{3j`9rb%gmDrAwH62e^Pse3KAZIJByx`C6??d~ z56=Xu<2Syv?d+-6JutfT%_`03s!;q|k!mm2-PUT9XZNgnj;%m&+9Xr5D@MJI!b{f&+ot6f2f9@j${wHOZgryg8*JG; zI5zHhpj=DjwD<1%r>++i3@O@ZN9D%wn_AzE8A7~yrtgz?JB?ztkjj*?KUCa-zo09| zycvK)OsMIvKu5oaXcki8UFe@Cl`oIfzeP=_>!$2coB`!sOGnIm=r|tCzbt{J#h-9x zMqsLst+mWi4-YOU>ClH-C?PGMJk_XEj7kHstUM-%+@H!Srt|4DmNsmA=6ro z&^L3cl{Z=mv3SKxgdsSY0ew+{8LR{FdUZZ^HCL`QTvY1aDns+SoQgW#ND5W3u_};i z;dn$58Y;zA*6tlpZYZmvsCj|ijqm>Pyb3eJg9L`6dkNY!kDyG*zGD>~A5^m}1E!Da z)}?MzD#~3W7@58XFJ*0?!dPUBPH1YdZj#rshs3)69$mVT3ClTTG=99nP}WCM08bFHmXQ{3FEz2F-w95&B_)R z(cQ8vORySlAuKC9>*|f)Vyu7i`KU0-h$+KkDx6V6^++OgIXv@G;dbcgG(+bX6m-ZM z?X%mnH?_>RgGMJD_u-Hx--Zsq&63W-;iI;&yc*3asg;~zrFU}u?= zSz$dbBhF#OlC;}Z!0gX)yEyYzg*)QfzHD^8N`ZUt@ZAe0BanpH4EsUu~l2EJ>L;wqYO4GBA1^MzZv?aI({>Zbc0P6xHQ_ZDiy)b}rJJ!nOsxP>ED z7iH9Z8{3$ak$X-PAB$w>y?$L~SME1PoR%+c1E{>?lGsM~r2QO`TzrDkvt-|Xp3dPI z^A?zLHI*c>vPn%D_RrLRB|KL|f?zAHR-}Z7Byhz@?RpyL=t^BHZi651NbL<4A`iV!cH`2m;70+tqT&Uj{GqsH z3~o1b`5s);_dCcVof>yEleS%%)$90jU)Abuw-I%}$z{#pnJmHuwLk_ZHH~&}+8&ne znR+<&@pf66=j)-u@efat#+)|@NMpmb5C(-+g;tKWA3<1I@#PMC^v;2!RzDp z-uENFg(P7bN6Fh=rjovFAIpoJwT_AJHfU?&l56XnKOQAa5^JE`Ove4dq#&)2Ag#7G zQOWbrJ7cu#+tZ+svdM#3})!N3qZWt?SO5u%sbNzH3xS%OKsYz;HF z?+APG;QFA^B$<>I+{^#I-HNB#ePyjWqWJrfbFXGVmVqgTdcm``J<-cNSbVWPUgJLF zQUlvam9hxNbT}asO#LWU7lS{Whx(L!bZFMtGk}w6NuAKAnDlin3z)8lGo9W3NR^ZH z5t(gJWHd~eqjpuIP}i=0Y=~!fjZa8}5ni@o;XMhf@sb#!JbINO6T(tGt`6iHk00~1 z(sdi>Hy1xHT^Kh>E4;Ctr0euqJ%uS-wfxXxw(vQM5??1K)WkQTX|F(N|HAS`dg3;Q z03}{=$wMP1+`ZSP%TEkTxp=1EJPZ3=d13BGK~*2Syi4o&h+z7$usAs?Q6azahOD62 z*AO)vAFCo&{S}+|lxa;;h1HR=ni@fSsTRtjES)U#kK=KJ6dwh{X*~$sQ0_8{QPz33 z2g(~6`5Tyqh35JlWhdodYPiKOtvesZQGsp5BXb0`X70`YvM=|L(E|=Kfq*$j$5mxb zg>O6&GcKW!vr@_UitRCGzz? z>1jTs^~rWy`cDrLbmOiQ8ko@ByHu&~MLp_)E!AEkdiA*)yZvST=9R6yULCWB#Gu8J zETJl<@fe+wPUelr^V)1BVTI`aoeK))>a1^yF`4;3Jd%9Vt@(9EE=gFu#t&7y88HP< z8(qWAUd1dtZeTuOl~Qt8uGjt!e4hlhi2ElT3XhT8q!G~zq%9v2gEQg@Cv1Xd!&*1) zQTwv4SD_<5)P0e5LCG^>fE$6*y?sbf*d}l=f^4RSeQ?S*<`&nL_7cQ5LrczMyi<13 zP)rFz3OGSh`|{zb@r$*|ljG>=xA5%ScIhPE${6(E1PtOU6HBeWG?~#vX0e>E!p)bLe>1VVpFb(6ul3SM@?FM-+ec$Q#8g37 zWle7iX&5r{tkqfS*hlNv_n5m3;M~8Y(}<@cmm3%dSF^#u`5-8`jS|atlgNuLEI=I_ z5kgO9j+oMa{Ua$qPoi|D6Jp)d=GJ$n@7YM$y}p(xqI;=78bd{EyvDuZF8pYj-xiMd z896DjIM~4q^{g>c;qZ!k=%;#$sJ-UJoTut z*e~k3^OCK_gxh*z+(4yb?+|oq6O-t|wV`>2z>qmEWaM|a+MOcvPa;-X^4Z{fBW~aC zJF1Dh+>CQ&T~Gh@+u-YSj62=&fevXeE%sF8aQ#UUy9}w({XWmrx{dW(8%?iElljHa zKhwLTXl)>FZjn~#a`UxoQ3_(MH@PIfI}exV4VE=wF6|p}ICO;3hmm0G2-5Y3 z_xY3-a<)S{?iY|aUWGfrdJ^ZB{CfKPMNG0v_YnvAGK#QgfdaM`7($Us zD0fZq@(8Ip6QQYxcC80R5})3#ec@MkvzJsjH+pX9E)-q+l4RV8F0bu4E56jHgQ1NS zr5h~FdVMuD^60g{Mp(a1^v$8nn4A&{X!x5R-Qp#17S{LpFRADx&xbpB=zJ) zZJ9%DjeAIPEza>r&T3rAQsXFsQmW+PDDT2^>GASpY^lZz$ON^fO&29D^OBRKWcU(!sLe$`hO7$WM(&RPV%EqG%%9nu8G`{y_JE@@R($t&6accyvmkIAp z9`QD0*I1QwsozdQW5V5`Q{`D=!HG5c9Kf9a$U}^AD{l(n3&99kX;bL1P~K{k!R$L= zKdaz=WU9gatWt1$eN({ced~vQ>lJCczrms$lgT@bH9U#BdG|DhESqfxd21PQ4BUfcvm#tntHc*tEyn6w^DOwQTSM|9iyNT^`#bF?sfJJWi%tG_6_^HIX2`EEk&L`>@WUD zmZG+|gQe3ARh_@(Ao6hk&Ozk=tz*P<-sF3giihX74kFLbt*XEO5dU+AArJ2#8HPN3 z=Z4|$I@Ni8wqpNVh9S?-cUAaP!|?pT|J)x0j_+rKkc7iUK862Bz$IOw7QcY*FK(8?bL#v3 z;muNbe!5r6?|RO8{_tvuKZ?cKXZrI{2>u!g&Y!JX?khhc!OP3_BNE*F{Cs~F2^DJ# z@TkFi8=eG(m-lDa7I-!6y{NbWoP%!z`jtN&;_v+Fe<_dlpL1a)9UYzA-L3+s=!81{ zwk<38KWNMH{&ISMw!r_ymgN=T`;9GYZ0JPZi|bFEbIchdEO{mK;W8>FO5L^o3ma3o zX;VQ7C=msWUGFR+8g5XDi+Sv7y0Lj)zkdG-vfQ(*k88kJS#^2&%GUJUx24&Hv9B8m z>KC%--ehM!6c&Hxe?{bB%eR&JPu0yUci&_g8=GdoGJ9=&iBhz^r8kdbNPTE%Q|ue> z*NvW?jjajIB$HcShl|C<>H~S*$LU4)LjT)gOK}x%q83oP%XP zfRRIbVywJa{lcSmp_VK9x}V?Ce|;8cgSKdF;V@|s%7)kfB0Beja#G{;r`ck4f)Ty6 z(z;eh^!pTM7V}8s-X7z4&CI@gyZzYZtjE`H9szGEcK7q_E{aF}i$`}x)cZE;GroS! zD2L)cY;S3ap?T$#SjK8Raj_H$cM=QpK}kd5d~&E`Mg^-%>8H}Vw#c}ym$acyuDVtJ zL)a?yLNBmit+7{s%T8%=Y}r^)QB>X8s9?L7^=#)=+SOk5C^nl<2^5L4CQ{{Nm-LQj z5bTEtC=`Q~-r!=F=}q^3pk4XgX&Nc}=#z?A6S6?F#c-ixzOTR9ifVUSVNpF3f1*7cXlX4m+>-xHo?Ql*z$$Dx+a;q5Z9joKQPG0i6RO&vNYD2(m|^Hbal{Z@!w-Z_#_W3!jBP zv&-O$68^r9&4@?;n)LmdSVEqs=sLQ4Dtcl}x~1YKTAXEU6^GA}cm^USWtW!gToIKP z^m-2@3-!#FCo4>sBo|Cqgi84BKV3YkGL)}Qz^jk<$MN}&UQ$UZ5#R!sd64cBbPGYP za`Yi8uc4s3TT|hTv5>o4Tg71!ds$1wSaw+<^3GyhxgMczBS)QMbKSp0FNy!^7Wi>t+5e{!!}EeJ%>f-KKSvbv!RR z@e+lw8MyV(ddbdjTFG0_jP1v7a~_DtC5tXf?pMtd8_4Tdy_8cR!PUCRGaQ|=qVi&GW?O_JOXrlMpypnp%Z;ZK@H|!WI3lbPSNo}L z^;z23)()cSHz)=}Xfj6MsRUjPZQ&kxL8cPs@-XC$>o>Qu7fY8)GL<{M9*_py{X;qpVZ*jhO8a$7x_6$#cClvGH!DL(J$~_89f=7V|$K0M1 zYpWM$5ZOh9iUZV2`w{qCo{cO)RxP<7#VfuYsCLt4u)o&woo=>t^3j8Vq-Y}MI*z-0 z=r@$?yzhkMVFizhvzFM^c0wiUPRI#Q3BT9UxVfZ2Mz7Wpg(nm+$iS<{Zf2}s>I{Cb%AHO~r9gR(WOGb{?pSFe?KK3HFBJA~D zbAwQccko%UVK*)--?{BihRL6pNpE_HIlvUX!_J1IA3LeQ>R}iciPCg!cq|@+{H4+y zfsHS!ZzOy%+_T(0_q@LK9GmPFIgf$^_RX|4)!rC3txc#{P9gVwBb9xAHUX{}kq)Vj z5adc1v|XjLLBmBEXEDpCx_7^5yf5I^BCMmeY()KDkWQapxb~*cR<&X`C~e--HT}^G z2a4mW8A%JLr2?T{MxqIClvq-C@1oZ+f{hJMUopQkx!lwJ3W{f;!~q&N@%Vc+B;QgOEL^?XHjiWYh+ zO-({5v+YNUGR##wt7{o#G_G=_{*(wNgmT!!4jQTRtaf6Dv=_w2%k5c7W~)EYVrge| zHIOMSjMP9%^>bCC)GOa#)L|`W)|P1QgWEOiNh{W`qOxxK9`|}=>I+{q*5~y5=m`TV z_Ya6_c5v9_4&1_M9p2SC&QfO7%9$sXi45Iqf?De;NX}b{3NYe1O7Au@tx;dDh36Wr z9J^X=tv$|fpNq~r&bLkb(*F90?mF?Dk=6oo<(;0G@=JHjd~e@T(yh}{O__Cs_))6nY-_%!rT=(nUJIP{Qv`r z#4(O2j#{3{_Ws*9aLjIud2}{ma$6&lJm2Clm)c%&qsg%Drg)`YDeA>>{74JUFU#ZA z8huQ;HhIYttv`EY`UxGS#T|_-N5*BT)Il0j@fxTeX8#lCz{2k3Bo2B~eS?F61(G?1 z?N|4p+sf+RBO_O>aTQcnr@Qi+&|hp62}!eAV}0!uBIk>64{D$)(;RJooeV9pc;QCu zt`SOHkb0du-tLR;tJi{)^No?$G#@kCN8srR=M>zut@LU+#j z-HO{sWGv9Pvlkr0bi>q2xaClh9ye;>BvI-_P_`q`A?K7-U@X8%;PYRIPxzAM^+5+s zG=v!wS4dYb_p1FYt0kj;o0R_JiFcW5aG3hHuit-43>6=C|BO&IuT7+9L~gitWZR4N!E4Wh&>X%#9qGrUG}^l26LB{x@y&W>HoNJqg?d7JniOp> z`sc~a9rr{bE)I&Kw)aen>ibIHYiaj#lhu48A?jjl%&3b#UNNxk`Z9!9%w$1F$~5E= zxI%G&_-a2sp^-k9)Zv>G>G5+&HRs|y9vt*Fhj2Rjjr(a@(V=uG^hC70Bl-e;vjtxo z!$;otXks;+ppTIcE7s3Z+HvMGm5ihX*Q6SLe_Vn3q%pP@f<1PjsP8hRFtXQ;>5Kie zZ_|2pCuoK*uGsaGC_`g+X;GP37L5X_aKl!=_^bE5d_@(AC#iT1qN#ZIE-GF)T2Ry- zmF_Z`=lXLr_wZXtXjlX_cH1ZyJBO|>Ox<(hfqyQ9;HQ*;v#&)!p<>yla~=H^ zosK0N=>ej$j)3Xx-i$WNO2#nh-77hp7bYRxAIFog*i%fUKUTtMEHd=wC0J~`hv8pI zReT{vAa}1sv0S2bF5vR_+^6>!WK`BfqE^JG3XC8h2II4y8n+rLZGQT4VIc(reM~!b zg|>U^fUa#fEK~|2f6*+?Ow4N&Pjs6z_R(0M3f9CdQ-^`UJukcAaqasqB~%udq(VyU z1kfP$m})(r=yd6fgQ5+Py65+Fna8=gE`4C^r|-PnMoF=^zz`Y1QvofGczWa{d&`Dh z+Jx}!H+tlDXm@YWfPe?0aMXuf3jM2?9JCG6(RIYKxH2NS~{$rH3>~S^}dp@eW)^5+o$6fZT$ji|MdS+dZ_~^Sa@oec`S?J^OtltgZ zf!Y^C7ewOj%Ds<_VUW2nrYA#$=^>Wvana3yaYcrnoBwh}$SdABE1OHb^(vB!lolUt z1oFe~c*bdUM@RP`X}b;9V77=p4|8T(Sf$?&mtDA+aak~*dDmm&dFjO$a-=qOa&mGz zw=DCf>Fe8_k<(c4Ri-WB5c@cjCum)pwDfQY-(^FMdCNr%n7rs^8$t)ra>GjVFiXrB zZ(og{;`H3$<*m)^X4DVu+co09ji!A=NkIQ&M(RK*Z72m_4}a6}p6Qh=CCsU$g#qeI zZOdcg3~aH}$F~Fm+2uc}x0^c?CbGXa$Z11Kg}3%=EPaOYMtd>k>--7^&CY0XniS!~ zjl194_xCY8W?M=Ft5bzP%9^HMp-Jy`e>PzDzN>)E|Dbs)Gu*!*tNTN^^`?;R`j&)S zZp*YxTe>JTr4qeE)cuQZ``FV-Sz0Z%E9;y6tZ^#^C_Y6gEf=aoC4I#|-d5`oMYpJb zBZHkLYbN)djc)bz(gy-$g(|PudeL{WY-MS71t~{U%CRw%X4vZrn{RG*mQIKtfmFD-Gt+0`y@;h*2i&BB-i z_$IrR7zfd&CHhM%w%5xUw3+lqW%V^Vg{IKM>sL)7PdF@J<*y@n z&msk|Mdo1MNVXU7JQVmuqTNE!##~V++d_<3nDSs!xT`h@+0K*W+n`x=M5i^u1*CS| z@+tPU2v30p5A}zS-&cEeE%38qmkUiPbaK&?QO7%cQK>sswOhE@147%;_A+;eJcURO>J(n+5Z-w}G@7fb z_c*IcD5I5m;KLK6S*nijy6xeSen%N>?D~pXlViNtH8aS0=EC0t;`nyc20Z(p+n|e#DJ@}$axyG$? zMB^#OxJMtwtZLEq;)veFEx*cNgn@>Fby(q+r0PX})P_AaN?p_tj!@iG6A}vxQuQ`b ziKJl;#ih#T*m>^v5G7ScPrO&oLHC>p3h)#k#CH$2@5U;n%UNye8m;+%ZTaOI16WdK9z)$JLE z&$77N3Crxp(G%f$6(#(_?7$OeP~655E~6->0p;i+Smp(C{r|&Zds>xqSGR4-_)T zzHN%vh1wJyefo#ON5VhuUi55@YkE~`E#}_%;IeKTe9GPD88yfiv#f^K(+WBtuzej;$kIn+niAo4L zUMiB~{mLU}B&Z(v0`mwCeq$2e(rN2wkDDm^z{_96;%U zYGri9yb=)F7d5KjL(lOoK@~S~y|^~)8h+gR%zIp)}RItDXs8X4=+71JQ6E{k=z_y{o+l`O4|88d_Y#e^{WeY5 zYZ)0sXSNIX?-Gl7Mh!o{=}EYNA(S-laHD9IG(K}r^U*CGEqahjTlB5_0F9aY|e`|I9LtC8p=kB^Qhf)RV zXwRW#ZRHMn)$9U%z#}(17ZndDAG_ccDjq&Ab}q0*Qc4?mjXr4da>!Bfa!8&TOp;da zP$x$YZ4O;6MQ||My1P5O32|^-hq~K(Sh8C=IdI%`@U(EX=D6l`jScwK`3BU&(aM_5 z!tolLg@?P7g9U64OrZ7kvj;`R_p=4X`#VejpK|zkd8l}K{>L1?|C+D&H*Gv#?*Bm> zkN=l*`18$2{^VB2d_2Fo)$wyf2d7znobQgE$3d6+bMwA1Yf5WUDZb%ml@@55yPJ2( zxYwg&La*pb|KX;mh*Gk#@`rRz$=Rn#{lc%^UQomobBdNVm1EZ*B#ZcGQaUu(AN2MJ zdS|FTi}ZZIyVFDC$9J`gzy3qntAd2`{j1`;u3W-qI_g=m3&jkyeq8;1+pZ#q*G2G* zzlaYlrN6D$QCjRKN+x@EZ!zuigr&&g4ny6=n68?@M?;KN->hi7lA%cn2RM!e; zx@@-_Xdhjwx|ICEaNi5P^#vVM-|iDH+L2&dB{FtamoA_8?`K}HN^bQONPLNJCy9Bj z)%7~=J;%ZbkHMnvy;u zQ-p|A@QKsshn@x#2|Qq5Fyys$q7p>D8?0$b=ZrQ zaPj`_klf6rsw|;kI7x9X4Do?O$wHrmBfM@8o=dF8d4gV(cl2IvnP~o)+;GuMJoPZq?f(V5qUAi)0x=d&dVYLh7s)BA31 zqT$dHrbALr52=Mf@$}oyaM`##V~a>H+4XGbHFG6P`|G?4pYp`;+GuJLMXZR^2MnY1 z8T3hs-L;}CptkW)_`IUBR?~dkLqR0Rqf=|ZEu+%Q+Q2H?&>c3=G9jo>Z#g8zrqKr- zH*t#Eu@tAd?ZI;$GX*!tP{b~T<6-hZ$(71w=E%^U=(#&fRAWzQu33#uU>w6=Rv42| zSRq4|cd{8ADHG$x=!6q_zO^;|<*{4QCq&opg9!IyOpB949t${=+)Os~a>xwS#=G!> zZVWy~ag6nrIm;?*?xulv(y-BuG-5c+%B>c0R(mS`dnl=4IH4~w)!y6>e{`{d&O(q^ zN6%~o8NuF0MW0NE{q{SQsQ|tii+7Z@?Ki(AF3D0kebl|;W|^(0;n*QrjnMqqIPlie z-Wy-%6qX`u4GBZuw(SqtLUW&RkX#Oe0)qza%}Oqx_=DL&DLv}4FwF*_EK z-j~EB9T*d|X&AS<~ z^i>H32DgObSkp$SRcGw9^iUwUGkQ8NoWn1 zuP}8d4&O+K=Vao+Z6q3lqQP4T7&FT%==gpZM)ME)?&P_vlTkJtR?JV2=aMkVL>aMr~29@_O^KF#qaQ@lNyZGEI}o%4`S9&S+2pd0mt8 zp*Q1FoWql=TL?ZzsZKsK*E}~;ndAI=Zr)H&;-EyBJVFZNteN)vIP~#L`MC5mtsRj7 zPVvH}X^HP|Kg14o5wVr;Ocm*h*&b4o>mmuMOcE?C5^id8YVLpf>$nqwi;8v`*#iNN1_F-@hky%r+zq(|fxscb!M@J!bO#5I zfQW>Qf{KQY0c_BS1A&J_K!8U?Kte)91pev={2hXbi-bqbC5eo$X@NrHLckpqmy3E? zs`fFV*2oqukELrc8afd%$wg8+dIm-&W?nvifh&SS(lWAg@(PMd+B&*=`UZwZR@ba; zuG>QG+}u5GdU|>L+ztu7b2ltJB0eE8DLExIEj=&4ps=X8q_nKAzM-+H`9Vu-*OTs^ zr@ejs1EXW(6O%8erf25gEi5iAudKdb`?S5YyZ3qj%fTUdTyPKsxU;W6JT6?|xZn{H z5fD+p2NwKaIcyzuMZglqP7*II zCTS6-VYt#IGCIZQXC%r`j>)?rCiA`MLHKg~vQ4rc>xQdhp7-K|w8ErFVe)u8p(h#Gjvk-YQr%W78Fne z4@Gc_%ChievTSq^0!>-?zy7ShAEK5KjMd~{sq!KiA^#bFXADg=+U~A8bB@&79klfX_U-jTe7k z(TF?`h%2fR6O<8BP?(n*0z3qsMV~1QgaA&WrYwYxpdqmn*oq0E$o<^t-DviXFE z!4Dw(9Pngl!H)^PS*-d~z>_1!m+^oQNNH)8GQt6GfCvT_0)$gV3XCZlFry)KbZi9O z-~*}>Fh%hqjFim5twLZJ0I5LQwy*#eNl94(4Y_xu_9o~8=Xw~{HitgapJUj zOBcLK4(bN2QN3bLFs30uynz%xo`?$4d0?U@n6HI0V6+XU`#|(FmIo7k4&qq~2torQ z2d}BD2p}doJ{H_G6$wOz0|*%~WBfI7ML_l<81vfQHvZZC@V{p;-zhHbEq*dxWU*bm zCpJFnFpV$x6n8oKap{`N`>oH=)BsmNsJ~mK-_#pjz}a1SGP{*UwofK~%t_2~=ik9X z4xH}cWmqsBPAB#MkFozx-2Y@SM;DgLTVUHH-5tmtA5(0;rm~#VQdpCoRY;kQZIcE* z`&Ivv$mm&^&$BtDs=P_V`w|YG?ruvu!vm1iE7dH{r8&ssC*%xdd4SqACH}9|{(q?c z9}OK3HYH(HU)~Bp!!^LBc?mld83Y0`2!uzIEof&d-JAD(x^LSFeE{SeCH-Yw<`;dy zOl6VI1mXkC(qb(Q__H|<)9oi>{5*hwvX=noaw<5NsT;IQ8zBFm$^8Gw`9B(^c0%`V z;@*TB+$#SDEtsvN*U~T^#n&3Qs)?*uda`7;Zk%|Q%0ALQK;2zLtNpk57j(BmrE` zL#fINi~ePzn`?GL8{j18r)euY0;AC&*qsN^HH^1m!8s@BUjzM56aFZvCEou)?Ee$@ zp9XVsZVBBzv)8}GdQ}8j0^L*~;y{t6L6sK)2=g<-h9rV6suG~RfbeQipHI`@!0^9t z=sbE9J;0iEP2A%on``P@1O!kd8jADY{aEQ*{~VNTQ7utI(1I+zc)3?k^Q#_6%2KNO zd@SE4lO@o*dj&Yb8s~;NXqKm*)3pRlrJXzKKXlozwH&wsxYa4)pGGs}U1|se!Qdzm zK21es3AEF_pIPidXfS^s2sr$?zAFV;meq+!n)EiI=jE&}-xT zCi1Xi{Ct7~Zv~rskUvZHu*rG48&#_aM8tRbyw}s2!cGODBB0HcjF3Tw|2bQqQ2yDw z|0Bxhf<^u0wWXHL>9-EJgcqtNh8PRowL-E=DT{&GAL|$R*E8hbap*pLsC=c)JNDZ| zQG#Qi761Xf!vofL{mat(dM#;1-Y^K{L9@J#6v3^k3{lW3pr!q=x%?bavXsbs-UMRfqssmp|r(~8i@y*fD!F8=tH4ya059brinR&cLX`w3X&d9jd$-=Em!q z2Vk%aVfFV(8UH_uBxu!R`3`v84BP#Z7zSSagy)2|$sg$mPD^|+xe#b+4a1$QN-(c< z1Edl3vk-z=h-W(Fw@bv#pVJColo^LDkVx*oiY5q%Voxc2US@m%-G2JW?L%9Dd|Yiq2~y2tSI^4hPmwe=YD9*_Yzk_2!> z1soaXUsvD%Zlmn=>%szWk(S@Wh~0nfr2uQSND)XsHc2aq{Q#WgO*n%iL|P~A%P#_X zU+)eASR|e+z*9H)OaU@AtO0@_R3m3Pff}Yvf1nPgMnKo;v;t8=JXI58CS5T;mZTpV ze8&;vU7_8Ji(_{2wOFqJ+!awnPm>#L9)KuB0$v4URZy)$K)yo!JCM@-z@eO>(=wIK zYQO)c=F)<4AynHgg$#cw-2dxgz}|XCL&KecIrAX+yzj*zAGz8#3vYP|815*~A9W24 zk&#&kBh8c_B&^x_FjgVYPGlV_F@si>^k20m{QHfvmnq>;N)R)k?aZVoYZCh5osoRP zv+UN!A!U~5)bY~Ey!A>u3fE$nU?2)#)~i?(2jVcEWCIU`4iyZ`uW0H%lcE15Gy$=` z7LDUOOn>=-*_CJY%N_s?|mtNB03eDy{F!4lNA_QIPsDHb>%{|kwz++?n>!Vn~) zbyb$tP@wd!X>V6n*!Fe<1ktp$cLBG8>(gXIQz%BCDPF0?wF#a8Xo?iT zP=PRl|3`R=55kb8V}l`wj!p=8FW|F*y6BhH4r&%@rP0FikNj17bmGE?zJ9i&yQPhS zTP+4UN1N|AMAuuJnj%K$EJCI7VuoreuO`U0yt)0jwL0Aldzol*#BjEPGe<}BV0>KD z80*!(mZBj@d0l_$F#Wp?=8m};quzvPms%e-j6TQ!>S)iK$+e5yy&tP9-F86saf`Q2 z)=!uE==wCx1P91uGZQBAivTnTZ7u_FDWWFH?Kt6}9V(b4RzV9{FwM3Dt&bop}jlY>YnC&CI0OlCp?XJ#YDD&o?Q zwDEOBK;b9**PhkC+tBqbFKCQmNEY|-gBH5*$G2g$HJtu#4-Yl<#%Os)YFOx9z`jB| z?lFSun&n|s<W zqkhOW$kQmvhoE;=nwk);+{8y+6N7#@h(yG_Dpk`Jq$vj>q$AKr`%nNNC^d$#=krIJ279+7jI7+G)@$gEN>p& z9z#wpOL&_j-T;l6mJfQ~pkZCFV1W&LPwHa2(zIN!$kHGPmp*`#V!MFkcAA~E;Gm3! z=OjeZ0LUYFSXyPHBY-r3?|5cvfH_c?kN@i8L8<_yC zY`zD#DOg0mCXAp%kKlwnNfPD%o*-yuuCX8)kb6$Z+i-)Nv_&wf;#|0b>l&n0TC6*cv2LlVkpY80lcHB zfK-r|e6Er#M^4RU2!MMH_|a3>8ax9qpoLaqaVREeq__-p7B4%QSpapKmL1;58x`pO zHhZ55r)3G8Wol(|LFNfHYHwv5+F-|@@!gr-!6UJ14z~=K%DV?)Hd11V${J8)p@u>k z3%H=5QUmG$5K92Qp$!d~MnEA0ro4aS>aB#`QSY@#mccG%105{0Wh6EMnN5^pGwqLLX1Ar3_z&8zd z0Q9K9C&x!Xi~yDbGB!v8+Gh;K1n?2aPA7bXX>_KwPhN1k1PWo1R~~(%k>X};uDv5r zT~j#PQ2Z$2?6;~`#!-^VE8_tFz}J-Pr^vRm?19C4uN9ChAjf zu<=s>(w;gL_*{WTfLJ2|XsQ9CHL3~bJm8}=%oqXrS5pEg00{1|{iX2ue{JXp5Mwx| ziPWw#D!p@{yGi$aV75q|)d&4)yj;?=mVVwkh0zvILHhj41u}9zJHbbwfG+38i}>O4 zoVAI`o-R?rX8RfUz*d|!5dN+#&wX&;Le1N1SX*ha3BZ!~Bn(SdZNeZmc|ytS$rBW> zKIOl%qS+rxpsA+-gh>Gj%#r|f3b=q>n#0Iv1Q1aF6kAP3rxbP^Wn{3xXQy@eg_7ze z?~gj&szCP^d)U=Fm9JoBu%J zS}e8;fGd#d=m;=92u={CU3xcdW=aZcW*o>!(H|}+Tg5{gM@U@r?-c3_ECK=1kpNW@=czmzg`6?b zPq+f)3jE1B1ykS|N&SITPbw^Y@8Czj52U(;^$o@`-r|RTn@NF`>iZp`9xhMgxxI7@>)>l0`4$gcOfK?PK>qwWI}d5s*qjE&|hBGzcrCbD~-U z&IJT`J{J5VnDrP*4o^hi->9=UxONhDULRZ z1xRtwq;@N-=t6k`Sotpp${W5T1{Z{aQUh{z|ca9t6C9oYgJp#zN zNzE!i3MPym<*hOtQY>n(rUm7jx{Ha%U1pKPr2FzkPf7}qlS>AfK&4`PiVVy%h=BA2 zJ z0j4}ar;mgFDfm37(-BtlBK{3b1Rd=mfT3ss;e^(ZG^H-onI@7j>@%qn4~t=*BB?$g zS;p*bpZ3xzMXUD#C4Q2eOgUxAVaOgWI#6*6;BiGkXVim1W8gRT0~U@R`G`2NdAQq$Cz z(X~s2tUQ=S(5rb` z%yEHA9P)eqiUqfj_ziyn(7p(qGcAq3PB8z{XP~ zLX82*0+1Cf+axtuS;ZH;%7$gWi=pRDlz*n7{*lrGg*mK&_t%9K;Dx$XALA#uLBGB9 ztShCh0H_dB#69fM4Jo0Z^+gM-I%|vcjj8ft*unK=V20?yk{k?UlF}VLjJ%yLYWoBc zDjo!Zqoa&}i^pJQ0)VJ<9-E9#DNMzK3wG~1C`jpi9};mx^<90c?s-r1OXajfVg8+epCkk|tB_KE>utJ&y3Rx=Nh6ph4fVDd; z*a+ySKfquF>URV@(8z*$pFj$OZ)kYVIfu*If^+*A;-^^zEm{hx3#LXX-hXsBF;aq_ zs{=v#kq0wgXLXf@oWQDBOVfCz0Mz7nU=Ko|!v)lrP)s8u2R4Wh%sBW1X$8xkXYHj=nk#S} z^e&pL)e|fh11}&d;{gJ2BBg$Ggq?E^+1le)}>V2Xsqc7Z_>@p%=Ez4 zoL@X+c~0#qXeCqEzD*pv6vf@fG^S~KJ;}7b1lARec{WWXe*>|{c@gN+rIJMm(O5!p ziqUzoq(-txY^U{mPaYV}lOF&%eOeg?h079XLn=iDR0LS*5^+)Af1e<=Np~bs1wu4}^4*|44*RKECKV%%K_(asU!c_Nlv}g+-&IAR}p?3# zb(925#phH7gW`$kI(fm8$r~kHPd{eU#0*l&(Fn#;*1ukM{Z}0M$-3dLKA#ED+7Rn1 zloMXoRIGr-*D?Sv2M}JR1}m8dpfE~H{Y9HY&Sd$2pUEn{y^`ZV+NwV1Ee`h4QJC)9 ztGa1u>Wvxg`ZT=Adl6igPBTe-UsBC8P;D~qFA3|({Y|1jZ=M9#h^2-vT;T;Ws| zw~k)#ekOqAKsZq(0a&|b#jXJyg#f6$0(byPAY~~5Md)b`)PhkKY=!1TeyxG527XMd z60q|RCJ#Nf-Av7?C&d255}4 zIzq3v)i*7RjJ7pIwUjm%=te_dq=G75=7+uc3x>|&qw>Q9{Z*0u(g1m;$N<7QwLbO0 z-iA6rYw1s(i7mYCPi&X_mtM@78LiN#t;F_IKO+UcCxYLtZ)z9iw7;P5@Pr92Ba$;V z4*rAOFZmlnqfo-)BzK06|A`=jLR(!j!wX67xnFvH3|ZGKh8Eod2+Z#;m>F9+ArSKm z6QMAq56VW=_xyD78uvg%P*Vq9qI6-+};BxC{bJ!}Ges)65N%I%ra!p5PL@1#sT4 zA^qBf`}=Hno(_LpmvMe!mgSFSV_+*znBIr=nBYY)H-30$2uphqPspE9OSoSgCEZr+t=nb~c65)c4c zP?9%#j3gw$;YsFb{$+jkuQ<3B5$zMcphIY562cyT^qBPsjy%&1`Vp% zv$m8IjrG$dUcV~{&-v-R4U_Tw`mf(#$5&?hx-iqw5rom1{SXdoM24kGH*J-j0kFpp zAH2|*HY%Bq!V^YZG##G02cS`9YfkX%4V_~D5tB)t%_SI( zm>CMD*1&%XVM4HtM}Po;9xq8Ft0u9a_|15dNDx?^0I&w+Vx#sf0i~B0!NQ}F_m^D) z|BA!@fo%T~66C@>F~b(2;uL_Xw8$n^{z|Y{2{fTJ!HAsLqhPn)Ni!Xo7|-PVPnQ@e zoh`V5fQ0po|9ZX3kDdi!H)U_kAYFyyqzlOjOa=O{3sHyW`NkSi$6<%)%kUiZmu9tx$eB6 z8wB}DypVS1CqOX+fcmul(!(rPYedl~^WDe^KmuW%oxeqm=E+(iDC>Xj4u_gchrMf$hcfNo>$|+4fU7D_{c#vw%1ZX;)H~>)a098PkaSnD{w*U%2yF4se$6ap!l>rZT zB@SyM({{F1I0|=l=^>h66xV{-Ug%ZYF0Nn7pq1_x%b zOA+Exu!x2^VP=pKh%Vrj4@(FCzLH3ZJREa_gC@ztmu`q|S2eW9gb+~&>$Dq4?-1Ag+y3ELbQ`aE^zlVbooLCT*VIOGT(RU z6&0FwZ$s+bbiVDCR*&axnA7No^Z|cK(xH_g>sZZy>334 z;OM(dgpBwJR`i(MjSa8btOx`Zq7X$c!_;qbo$^;a8`g^vRtd~i=UZ~dM1FB}qzh@4 zYdhG|1-E6u3W3$CiSuL70YY7j8lOfUOVEux(Bwg-1iw(8_i_!;%=HIlf_ zLz|lT5?m0mP3>5N`qaLKEY|(QY(}%Jn;Q?9Y`4@^wnUT~1(irzhRuoS=uj0-9|D=T zhA!+y0p7!Xs?W)aGokr)vdZmKTy^q_G&_0Zv7=+%_JHElOruJA&zU|Qnf@)vx5?2u z4yG~_pF_r1h92`VF!ITMka>-<(%PEfA{D$$6!i&}vz?-TK9>O6^8xqwCQhWb==Utih_PMZ>l&|jx4&%JRD|$t z?=SrY+)-7e2-HV z`+h#Td;WV$ZAP+kVBclEenU{fu4x%yU*nic4P)zJCb<(VTwEm%-Ah3@H)g}%;|;{b zIi|HHT@DLyJ2vjV{n=cz@E6}bVKk)xb)+B}njhGcWb`420F;xlfw+IegkIrqa&%Y6 z5uz=Kj}26LJxMvP-kAs`?8c#Ah0??gD)2GOJf)3F#2JH#6k0|ni*agNKEgx}^>NQX z7LA@{HH*_dlvw?0)y#Dv@8j9*9S@#SqZED3XeUaDYGn1UAFZQ}Gu}QyM2oXyICu$g znm2g@C&z-P@gPnFV0sDEG9D%Z2liN?91*O7W3I3^FX+DdHZeE1<>cb|@1-v=u7?%N zW(CXSEd*WI{odJ_cZB*$;Kv~SS*6E9Zo(XG=CIQCRV_v9kBJCBxmZHCmQlBTd&Jp@ z1?7%$?=p8modl*k?xZAN#(DxjVHcv5vgjF;zx@B2M?UuoM_zx%DB;-D1h)J51@J2H zc2RC*^VeiK&l*)4k(neMv%h47J}g?KZhk8C+9DEC(w>+YlTMiyaF8_9!$Ya_j>)Rs zXJ2X`U((o6aB&6-D{(+b%Mn7#S$%Q)(|rg7h!<61$y+G*IJA+7Wee~W-j^~8GY$v< zgI2*w081k`M2w7$Z41xqzVYM*lT%_+#v@>z`$@qn2H7PQGmSvifjac;b9U}3lS=*hdpx@%7mSg<;U@VF!u zV<)VlP2;U(0-Omj{9EFi#5gmNM|W^A6h>)rxl;&WRkXd*c4ni|g_2jGkVe$$1i28Q z-u8!4C;=>-;(rEnjo|k}SZHMo^tb&$)#FGc{3|NRqw_>nXWdto=+UMsDsCw^mP4p% z{M|l3!tEXfA%Lfp$E76;2z>svz#H|P^pX7?&i@)#8Znk0CZeH6X&wm== z1_+84PwF|7W|=vtl5F9W@yP!zmhn9sA7z>dca|Xq!9W4u?90S z5AwNe*!l~iTb~Hr7JOZ00cRZO_9o_~N^>1G&FAaClc?gEiF8==h zHt%RH`kq@aBMM6JABZaK{7H1BNoJ)BUvTL%^fGL7n_{)DoeclwA35+Z|Cnqe2N>tS zS*(?~zwl_f%0<;`zy{dr3Sq-_oBja2 zpjAML^o;51pawknxZL;DCqkx4y?Z@^t3#K{NHADhjimFWzpuj5#a zU#*QH(=dCSr#4=k+uvj_QahNZ@S)7g#S2W`H}hJH9SyTJsG z>ru)#Jd>a9BgWa;bL_cNpE?~k&tVRjlP-r|CZ*Uls_UHEonarcZ^Y-WjrT+peaq5R4|?i9ayw>|*cU>3mMdwJjRNaGoo9d97XAErO^U60 z`Cw60TpvPNA3peOc$K9rL)X+rfJRP#dZ)c{iC58^A8-DUUiq+n!(#*SS~sYJ0Vfz@ z^b_~57!$BHfW9O+Gg{8gQG7U;ppTr}6xx+i2*hY|q5ac0n$O2AL+)Ph+F$Z9jd7y7 zeH!g9(BtZO-f=cD?hJGDq&Gl+Et3)5^n5HF{ej-ppjq5(L z%!nUj$Y#FddHb8yY5BtrUiPnthZB+4=Rv9V$w#mMoCBf+8o13Vhu>!!#>PFZ>v_R; zGZr;Gly8-Fn-AD(c>?JBx+M%MO&@%hL3>S|eQRH`dvMuCfVi8_aTpZ<7@6Fu~1UO@nxLQIPzeFRB@%^9*xLSi0q z{HeFo50s0B4wqigkjp=Kcz7r^ZHLA&rF1C+jTplQkh?_phw<`e2$o{dh%rE3?ZojN z2VcnV;lPu~%Sn2*$HweHAqQ2#3Px`=pE4^Bt zInlRsICmj%u3a|Z=B2D$b24`Hyg#ws^wqq;7gLz1v{Jes{bFj-=BEqQgB?CYoI>@A z!R`jv$d2}5Eq5uuw_-bYvS^wnZU;sqiiIn+1+237i=42$@VvXqQT2Se(L=+y_#lPE z4lzlJi<}xB<4%OlJ#6V`LwO~J83}9`G%?8sw#joj%LZuQ%c)f6HDc3=vCA9G`(KW+ z_nG(2)uvIH&Qn{gK*+)Rb4 z7PkYX%gB0dtU4;uEF!<7{jh0DKxt9dks<}Ff*Yc>ckHtVs}S(N)czf#*njT9wn5RU zANUvD?&a)HcsBRS8hW|g(T9?5r$Re-oLh5m=E2Zwx*4?hAG9w=I$m76Nn&kIwn~Hg zykOJ*ELRyt1_02~%PB0{MHjb&BaXG6<~_?Zy~Fpdj7QqQo%4d3i>xRH!pM_qHZOz1 z2%$xXqsW64^y9hp0<2qoQ5rb|lw8zU;EdT&cR|Wjj&I}Uj*LyxkIX2BwJVlo8k4FW z=g|NQCFbzBsXbOLx$#`7OLgVP5_1t>y6udE+cMuf zFeLVAwuGA-h~Hx@oUB-U3x`t>tD8Kcd?c%?RUgL6o|d+5+^B5ETx^O8sYrk`3XZd( z{!QkEjVmO(I)^Ia`Vwl*Q`p-ilU~@cZdt#T3S$VR+6~MRN=YxNxp41AQs4#VIk1Z2 zF<&+nY2l`jU_6AA9k?sVj53;m?*qUJ$d6tfhLuM+un~aI+6k42KyTaS5)xuBtfdx& zHl0^%sbQQCRXc3}xJ41i&_pYfmxOp7P!h}fH$zG}gER zG&o_eOJm*7jo*JFtg@9t(PYg*Q#nI-(*Mif$`Oysbhdi7mTWY9wUBIJJ8&pgOGa@^Ms5%gM!jo)Mz{s3G7+X+ z$piyO1U&ighcJ(zoLcU)t=x4?2qfOdOAdB=<~2s^<$8l6w#iWRZA&R0vWD=IpUVxO z*#_%B_ozaqaY^bcBV(Qt=$L-_vHQOM;$k~uy!3cisKMjSEgk?_>#CYJ+mL(5!eg1D z)82O>1=vj*LDb}?&bM*)I5S%FPyVnsy0d2HJrQN-6&%W8MLbgL=v?;0@us|Vms$5~ z*03-vnLzCH+S(vkGJm`&?h2cd^eB@ttZBwv=Pn$iEnu1LJMEYyxvl&VbKPfP0=6`P zf^Db6N&^f{L3}@eGvReYO-_DPw!{^P^_jdi2(GF?jC|4NjIRpGkZOsNgV)o59j9M zVxKC896~}QT4YjFHe-038B<%#9TDF#K7yiCQxr-AN9G^4M}ZV3>7wK*{Ue*=q?UUE z-$8=5G$#p(A&BtXWQC`2QL;i*)AG|Kxr(M3!$c6tJc6#Dv#}l#f@(bx_r`xesBD!3 zE|0a`$Qw4Sd86hOIa{N(HCvms>SMKg-krd5pK$3bqTjt|9|}QATp7cEQtJO!j(9|t zGqYF`QH`{l^928G6JE0_} z1~vzbO$3>o`@&$(8>kp`^%Cm_dDbz7QB997Gx!H-%m3FQ#O?psyYhIb^Z!4)l3hZz zL~>Osxk?c^(@Fh=a^#p%BqS+f9HCfgU5O$`2t|%@WSSVqQphb~wirTg#<&yl`y4Zl zsom+jyFGs2{n zskyF4j_p?*`j=6A)fyW+r1&M1%gQE9X`Y2mlQ6E{DQePxy_ZW>5bT?fD_=Al@l`tp z2s+u#@{eozB}kki9XfhDfom^bh=+u?iuo;!#MV6ztYM-a1z3}kZ7^pc4f^!~&cap5 zz`#oGA>Wg&^#|;f!LNf?Qn=eqm@r} zDCSjNY3OdhEHf$S!Y#&E;B@l6hmSCZp@D9$ylg5Z)dhvEy`WxP2u9)iM!IJd`yTvw z{HUbC?Gy2q#nl(fSTOxhb69_Q_Dnu<7=A#1$vBK9JPy)7CV;ixVjG{hO`>h6tObC} z5dc?9rjm?grI}Bt*cG2yO!32&K|X^Dh4oprl=&s@zYA!f_rEkBGcEN>@IGOh1OY*x z%6OxMx!Y=v_GhuPPZ`?m_^G>}*BqBU`H(z^@SX|8h5j;Kol)ZM-8@ZDM_t_Zle;Zb zhDV`6g9zlgeswOS>qVAJafX5zVv8ckFiAiRro&xss}(Tdb9eJ`2|EW>br)1ttr#nW zK@JMU?5z!k^b0_URTU-ncmgK=Ew%-QSOkQ*BQ^{q&#gLhEb5~@voTD=Pmpr`&&@khU7}u&kEQL9r4apeD9T;tI-1J z<&08yOOEsCW!Z@7K*f}G%&obPM^p}R=zZ5ucc^mNlQgAl>8ZHVpW_b3#`tnYSo+oaN%Bl>xPIg68H*u9b4 z(eEae#$OY{e2R^muMfVvv1fR<`VIPWsVCA^wy#yvts+7y_&59U8+~M6 z=p4Icpw3Zh!^-UJ3mNUQg`G7qY21y{zIhivVMwh)t~&zV+U1`#zD#Y=wol*Pq4?A|D^`3J?CJbTX0_6$A1j@{#BO+67y zhy`3o?kIu2PgyRNQe|h9ReOP_t249oW(QN3U5`lIdi9Y~+ikM1eItoMthAR!OQiix zh71d=@VGJs5%wIlNv=KQ)*Hn!h7~U=yYC#B5ioY{?JqAjNh9r>yu{6BsGWrE0bGBY z!gvwQ5f96^M0YQts;S67WHRvb@Dg<-#Vn;V0ehyHl#d_(ho4nb&wb5sScsXJcD89e zS4US7&~J5A{4Ua-Y~fM35sw58YP4>bnnzdmL6H>e7#XHJesc(>>`Ba{+!U0= z?E5{611lLq8qTLW3(Rx4hMrQ6akm#QR4SE#Qn#9TBKa}3z&X0GIsBzdP*486(D zUpBkyjo@dOb4^b*N{r(t@c662MS|0bii|uZ8R*njEV1c*)EXwDN{^^gelU}#HfQUL ztLMzZj)A!aYr(g&I$G$9w4j7#gv?gYAu5z-^Z3`3Ycq9n^E5B2 zmT#Oxgt&il?h`F5ZlB6~dBNqwDkkxy27@uM0f=;=-+L{Wf^z+ER!^hmr>BN_PtR1l zGHRP{rz{gu!q=sj9ZND&kp1XEw8PZ4pH(I`otY_0nhYrECQwOrU0t`buLKv0K2%oh z3K22NsACx(Jp;V*mpi@awj`7Sw`DB|+`2nF5G?^BNm);%QW9m#YGp{oad<0Y@xzrM z8Xr?WujXq37nM{^!B${x5*2aCImC^tyTtC=*l2GE+I7>tGkOkz3Vn{^Hsmy{Xkfi^ zSchG84)JlkUhlSV@u}=mKsk^|7lQhJj~44?MUH_<{H}4vk)Y$-$X|t?A;yodpLc=VL7gpX0s`nzBDZ zJ)v>YCc}E_#06~WfXl~q%ugr%XaXQhl@a`sMG_Ftv;*YQ8;7HOog8C`YwjMHLx=&8 z8jIp47xnhxLVZ|Yt=Co_shLBhA=RC@D~)BcS#QNwjLaU>0UR10c(0%=2fq4U_5Z$T z0*%qVW1L#P5uE|=k6%vU+Kw0E>B_c@`Axd2!tB_&54#HTDKY9g|+oBnqCFB#WECQFe%2aDz+Z z5U7tg%OAk{XuQf1d8OVEU(D+8yz^w8KtW)FT@A(GnY&k$wLf+TKAuB5i)sX9>VKIpggQo~SHE zd{-vjtHedl=}iPUi)YZgJR#n6#!^AN&Fu9Wn;jg|9qe~CR7*b)PNMegUSBnx<05b* z)T}uqS;y*?!yLkc<6n#|slR|RrFo3$(_-w%moe7z*D?0DVr@9CVpAzkh=Z&SgHZSZ z179A6OtH(4%}uYx*s440dF6`bn22|_-^e{PlBUHyhu|@0anzSeY$OdHK<#{Izvh-k zsy%0Whh*d&0-umEmhE6TFbERa;2dHFAoZgf7WB-(@~J1-)bp5 zIRV^0&9`(kXkmvUWg8HPKykT<tySnWE3T?7pmjoqe9F}bC+7$aWc*;_^AIy zQoVEs8Ea z!$zRZx##k?y`TQ^#d$x~N;jO(6N!|`6r2XzOOy9grrEnA&v0#*7vgEeT0Zzqy5Y5p zkm(TM)!IKcV$qmZEc6X9F3VZ^Z_WtgBOZk!EaAqV#bu-A^qY`BSu}B*Tm%@KEjgp+ zyZM8T0hra_K0JCf!5SpD^x)kKfg8$w z-bDA7mrbP%S{Y>34)FB#=G|tZB{0E8Y_d9AAqEriX0>ZK7?T+^V#b>$a&m0W`av3L zWq>Exyaj$ZND}NQtJ2~MPv2#%+VNR*;nYdL`S^=P6M0bkO0XrM%v@Zv7vB@_vn^c5 zN67p(gsy#!IV>C+Qpp^us3WpET0!d0pH{~GMnMafYNh8qI1N(WVJNV`rXu@sgTN1$af6NI zIY1lJk9u^4ewM-Jj(E_^VE?Y7$#SXvB)G(+9ay~OMcFFVn$3|SiDg@_r(W6roFnun zAtg zToXvWgHzEuA!bo!B3Qk=d7tn7l&-KZo6>(fuYjA_b0L?n5h5Q<*&RzGosK0mfa3XY zP{-e^&s6h-$_m`>_??IAj&`3<@(Z$5T!|qD_Lu~ z4|R?jMVBo!S$wZ$8b6zg010du6PvrrLH?~9DXKMWJR7B(_)s@#GDo77yx&JSO>FXe zdK|lKN>tvUF;z-_C1|KrCc*V^nthLy-twS;6O`y<@p%rP06P}&3(Q|FIGDdKzuF8f zhQIx&uT09YJs)jo&wECExoXQGo zA&f&3AenhCMX0sD`>z=pF$R4qtt0|uhZ3;!(Ohs~B-0ta=p z%B1^ee8Y|`scP<>ldS5L9;5O%4Y?L0v$+cNA3Z1)+eH} z_oxz1w7h{MsR1?F2`6A9HJ9k$&~m9K*!wU`CBQ6|8yk?qn3MKOMW`YDw-N&lo2t;40u4(5TgD6sXBz4Y za5_#-@Y+}_p8IBhnXBMbYvvpx6I(~9>By)~BlXTG!y>swH?4Szl2A0$wTH{5QU=ZS z;e_JTml6v52q>Y5rY01IjU*_cxF{!ddWJ?LnL1T^MEB(1V)W4FlFI*Vz`FYm{f6UP z)`=!VbtgN%yj*LcOkR=1_jT4=9Hb%~RIII~J1ZR~hO>fR0&Qe4s<2Ii`9O@JQ>ItY zN0re6vpIyB#qRF zdFB|X!?^E_3puji2K%Q$k24^M+&g%sM(M5^HH|Q7E<4%<# z|J}dD`*X+&YFT@-$K`3mxWH9-)`D$0qW^^{# zVsX5@YSJwwEZi)#To5MRUDfj1>GfZz2$Jjp5_b$s*ZH387o@bgYR1Z&^dcV;z$P8_ z5F!P~M-+n_P^w)IwRsXpeBz`d6;`@{jYFOB@~7td2zKbaeWjL1clCkd315-By115) z?b?8)I60_srDlga_VjxpNb9Q7V(@zc)_*^}>AT*ZX{Eh~0B2b}J16fAazDq4M&8@S z!D-%LJXF-%=aWuqX@*vhOkFv^6?9HkfbIn6U4C%I?1;y(%#a;Ln{_xI%f)qNwZVAE zgSn8F$Qjrlb>D$*Vnb5^GIKPkl9iD0TuzNUQzl|tP=KQm)LMqYYl}n@Dog-#WlFIc z!yNTrT0=3EsGDopXi`AF%6QH*&(6wm(mme*)o2o5u_uvKsN0TD!_6lCfdkp$H~4zO zm_ElIw%3dU1Cv;$jSQ+FPuKpp|Kgz3*Z-AmW@tziHg53j&o4gH5B$0S0!aHwgKEs6 z1Dpwg8-SAjT9D)=sHv(to=s$--<;;jGOPXdVo2+iSC1d>-`ukp|EvwT4>jM4uO2g! z4i0A06czo3OFo8`fB&ZEa>s{T{on)mNfDZ;T#;>~plf0=k1=V6nV@e**BD1I#5AUu z+7vn|CMgjm>1Z;GN|0(2Noz(mnd>((Z@aI!R(s#wt>5+O_21#Yxz6L?dGgjj<(zY# z^Em6xpFjPViWY-8B`abE1|d#8=;(6{R>QV+831hADp|v4*PxwomGk)PYI3JV$L6xt zO!c2KI%pTTWcoOUeAy2|q@az`-suC8D&_~B%4r;Z5%{=HH&60B_J>LFE}Qy(w5`|g zf22{P&|*kDJ#^~+FJolXhR&Z_M{e>H<8uQuU5a1-^_xAjO9KBcu_D(6P3RI1I0rv` zhonOSrH{klaY^b)FQ3+Kva}26XmW>4{9g%~$m31M)l{XfXwH(twJ2mt2uWlA;LTK6 z>-K6YguaTG!7r17nNK^bAJ~;8AZBY!1TO6dtKPT&t9haVh!Z(>- zgh+H$34jAI@-BL`~Avzlbt9T%K)@46tJR3mW& zA0;(Sv2^Ik!0eE$`JR~mQM*2Fj@jn!N!f~la?UlOf-{wBGQIm9*hLw19X;JKj$hB^ zM|;Orx3Br+PC!M^z8ai+~n7+(_(mu4Wq1s zqfG9IjG@p*!l;I^F)QD^W&ez8=2J&K@%|ip+U>f@T3pq8V38Kw4uqboK&2{cHXNw@ zgubxRgX9jv~KeG)vnL;PuUjsA$*WV-R^UlGVmQO0Q|BsgsYv7@8A9UWHdOg^D zGC%k{)L-nLrmPAkTWzGRjfsrjzbptel|3d@;ApEw&Gg-CO1$1#$%?ivj6z6;%vSGJ z)$ZRT|I^Z-AiZS65m&$A7Ee2W-PBvKfa3Y8v@q+k94i^|RQ4{n9<0adE`CgvmSk&x zQ15_dq9q3VblaFBZEZW%5SK2SV3XH?m-x;5zL%ty+Ql8XDyMDuiYH z@C7Vr3|dl$laDFBTG2O(sVLM&@?^M%!ga4WFz)|-zv8YqR<%mz2ESF@7WoGGfSLUH zLTcr}gR2da`SZPPb#Geqj6rlh;^0|Pi_*wq(NS&G(TXfro-CEdY#6-5BCV1|3KSQ6 zDyYQTtX4MQv=?Z{7jTaH*$Pio$b5@|2!o9uQ-_CqVp-ix-hQY|huWO%kcCN|!F_C6 z+-^9a1;A)A&?3cz(?zoBv{{iDNXI5}Naftje)b|fsr(XzuT3>-1ARJ*2A{|G_3DK0 zt&p2p6kGz}0501Ujg^&AZKie>=RF4JB#!U71fGgF*=%=X>I*^B*cKmNEe8gJn8PZK z-z-|Qlw&koGT>fNt$y~x*A2DWWx(0EDj0+9!!?f9q;XU|UauC}pyScubR z*!Jd>n-m$Z5!lzKU@H4v*&LkY>}e~~1Z4bkgn|VK5FkK+0{=gLpX~+xyHjB=4$ou< zjjy-)(H!9GwKftYDp;SLB_$xrPlP!mhojH(-W~$*9|$`Q9v6f?y~W6IcOCdp%H}O3 z3{{pc2M`B91^_$(z&)5b06+=g0)WtBnD87-QgZpy3;i4LP!j-70XJUmbR6-+uOKxW zhrtk*AWB$)0mG*VO%fp~Ej<-2EfmJ>#2n-JH;yRr&d-AefBkYYqNmpv6GVNOxXa6V z8X1Mb)sTa@W&oknlmjff_j@1|IFTYuQFb6Scx9Jk9P7gxFms5|%i~@g$Z|rMy{idxmp-<8h4;QKy+@do&0IWE%wXdmvf0;nJJ8JD zpb<@g?3O@iV`OcD9hGzSE$@H zWFb2(iepU7BHg!{HV+f0`Ut_JFWn^+t!X^KqAy@Px z*ZhsGs>%W~cn9I^(w4dY$MfBuLBpIOsxP8jY^#S*=f+l2po(sX36Z^f-qA%x*rMp2 zA!P0#4R#W!p)Cdf9XYyKrPbVp$32szZoCe~jlgVD#q6GVu1BDQZ~U;c zidJA%dkZH)W8-W#-$jCPF{5ZMUrv-r9aPw4SU{>uW%~~$>x?F%AX9_6H*5>JIJk)L zZVlo*loYx-TQJW?dVX3h130N+4cqyB&cG1xK3z7iir)i$A-hci6SJCEvmx{3T{(L_ zuo?%B6VAG28rR#Xs%M5u+9f|Nv2yJfUgO;xybu0?YB;;-^?4<4%Bo++VOU3AVT|9X zZtl7*BFVgmiF}z$1j;I;d6aR~bL_tNF~BstF9_&cJI(27TQZNx4@kd^#lZXywAeU` z{Hf7OT=X88e#uY9lB4JJK>bilQAE>~B+c0!T{fkHlIJu1$xGI{6hq@KM+#F}Y%#6M zvwU78%3kGe9}J^&owIbQzw(}y!p6q>yObu4h)WTsI=hS1MR;V=aG1=t4O0E+g}6Zv zW>Xi}0@L!}=V$ALZbsntG%@`bY;{a?>(WapZGDP6f#KXpE%FOvW}hNyhjE_eiFLc3 zW6oR96$r6(Vh4AcA!#?Wz5b7N+FV@tgEik~nRRn{@(=B_MxC{P zAUtv-o8LIcirW*xv!T;&$aq#A!mfPlyh1&bC$ZV*O2WhZC5XixsTfNM*CKgp*oHI3OTPLub)$J zw0$RlGXG7_;JcFf?q67z{3d?yTJoa^JLLx+Auo7TCtqIo2`;Vqxs2|>{hTwysv8rv zx+5W81?y(wb&^hk`6&*l2=(2h>wCh2ea0O>zs97~#5gJvqg!x%tL@4k?)bmQxH3B^ zscTVTpF+&|TjE7QeWs|%7Pj_~$a#$zib4?Ao>7HYZ}nBD{ptL$j>KBg}&zEaUA@1ewU z#CI>tJJI%M9lJ5<9JyQ*n1?^fiI)u*3t`(HXva#gKXsr{2$v%(2{x0}FW;Y2vm{ll zG^^DfsiyLM|bD}?#fl}=0) z!`)fQo4lNr&!FY<#>ON1*eE1P>R`p?Jl`F{)<7gc*l@xpbd8{N;_J?$-$q`YEkxen zcvT}#Ymv#diSgW+q+!o|UXR9GimS%z|FNs^OWIgkkEyz!%1*W#>JeTedEC|mKC{(F zSmTWM@sR7g@-`hFw<@k5lx-o>(2m(h?ORHF+NDeVAh!3cN_oDl?4#AZb_@rdskVbd z<}K#O<5AjPFOWzpD0BV3!r<{E&it*@6Ldv0CTVZwov3>!%;7{&tI!%PP*JhacEdjq z;Hk3u|6|73_NvraQYL0E)S0u+E4v>WecaO1-vnus?EJ`DN++gl8Z2dgv32NnxP9Qb zC{HZDX2-w@F)k*M~mdXTG(mtRoG3HZ(W6U`Y~izbMW}_6^3GTi zk-0(Q>YT(pYh|H4U~yS?HEdfHzD@*X-vXtt2{nEWF{^CWZ*t|nlxPC9MQ(eMI zTpqOf*1ZaaWV><$f%|6sIGKd?QFFyX-{}lL#y^u6af(8zSiA^Jp*{`yM(L*wF3Q$7 z9@3J#P8A_>;(?aTkY;a_UW9D8PryV+t}Eh0=qrpcvlA3@Oah;qq)c&_dc#^3ifYlv z^rGX>yVK)BRjy1h%y8?VuK6UA9_{eYmdP+NfBo?`9i>!P?*ZOz-{nGR8Hj?c{@rB# zW@9DVy$C@;awk$p6~|XiiT$W(EtVO&@yqnowwzp28eV8=`fMG!=$!seFRW1h*;ZR1}=Aj3W0+jpgGKk<=8d_9*ZjioSE8X{Jj^2c~P zBaqEEoo%z-{@;kT++J?0wcO76Z<5vK?d^A-)9r42CuZZLsBda!YRaeiF@k-E|Dwc6 zRDDi%$MCsqfn3 zs!I(72CKb>e5>%{;7ZLurAv9ZYOdSxaTA2{*J?Kzk7UZO*vw#{dB>e)a{uscdFM1 z!~qk)$Ie=4jLx%Ccd(=sJ^P}&T|!{;PvB3aU-Y$Ut`RFq&&!Dyvu)G4{*=y zPpYF$%d2g_a^P6u-gTgLzYS@opgF(gWziPHh`~1=SQ{D42;fj9g7aJg z8goxkPja>e-vsyAV_S~>HM|? z_zaohL(QGj^M|w~+ceu!YbE7Bwu@7-s_ng7#lGDJ^q`p2X1fmjP+cWq z$O(9S6uNFV-U9Lm9QtQSalE%H=j&8{9|Gs2;3KV%!7W3~H|sP@!OtI@zW8mq=0{qu z(066Vx$QedKlfjci88qkGvMU~;9b`Ntg$(?|D@e7b-#J#8c>VUUM$l! zkxwt;AMC&SaA;WeANCyd8uSNM$ba3)gUN9(lzX$Bf$8yd!L+RfG&WF~Xa0R0)Q4e6 zOfNdm>vQFu;H_|KKK}EYcTt}zTo0d569f^{PC5bngxs6Y31N4*+qrw4KbeoX!{`(E zF4}wj`TkkvzCfz;03Qm$arC*U&l{ityx3z-;DZ4Wgb|p4A-ui!%wI2jg0oQWpL9pE zcXCI~Puz8UFZek)`I0zxD|8XE@*20-*j4Nn{O8S_Ndjb;VcxwAVc-RzhxB#*ujX0x zCTk4+IuF+U%|s>6g~)0KWYNN6=*}+$GQ4b%V2xLB_E0n=Hya@qs+ZeDUIGoGn|Jhk;u05TTmuGWm1$G5(=H5vbcdPd3padAR9N5(hR8oMyi2) z*AxiFO_=|eaBw8a|qmg%=OvwcBF}%|poWFkDVy^8UmN##dm| zA80Wy<{C`YWWtHX1P*e-BH}%kV`ZXN5|GkdD^U#TBLg8BKZd0&;nN@RieQzbYsyAJ z0E>(2>9{x-A%jkReDaOs$`)Krt@9QmqDAQf#^pZ)<09#7M#DYkl)gv=Tp40=>`A)f zNKM*h1x0SAOJYX!Q^kBwIW5ah#gK^B0;VGZ*M4Z`+Lv*BPo1Nq6|o{qZ%j!5Zs0FU z2sVpb;+2f*49Oa9E>!Y@y>68G^it!0-a3&&Ob8;xNNQIt$E=Q-^v5`^TtCqxWH}9iVw>TKlnHmCSk`wj(2(aw&`UjtB1h^dZ;xPW&Slxc1Q`J45#bdNp*Mt( zKCxvJ;FGo6WqmG`LPDRM_vGjM8^+KSt=1Dpn!V9lOE6HHAsh};$X1XLoY}PEcH&NU z>Xj%r8!~Bg)5t{8CZWz?l-qii2OGS4mPwnMx3o$d*|#i{Hgod1%2?CVWx2GOM4uJW zWVZS@Br&Ck7Z*m63&Olh4$uD@$Cfe#XWzJ!%3580`{&`&t7DuFlp6zvmxgY1{{#{I2^ZrtfHpZKojyr}V{zifAiJlht8gRoc!i#9Ef z36e`eg=Lh#u$-ChA|5NRV1Znd7@rdv0sbHA9Z>7%8mwo~ux z2sEvUQrV%Ii%UfJ4#(uk`iB#vWaT@fN@SKah5wgWGOK+tdvY zA(DuJdbv`yBo8-$VCX^%$31AUT^ydBNGk-@B%;bJl!#+KP%8v3tySXFNQKIwszl1W z=4mFigj0}kEn`=$Axw?!%A_WcOjDdzG|#u5N_7PJqnt^sS}y;h6!J?fLnczV+(xKp zG`@QwzN(V@1p;>4K7CY@4JoPJ?*v|pZn53NTx?39RWbW7S68JtZwIhSKD9!%F87Sq z~VoP(~-^z0i)D zX{0YeJ@6@n7Pp`axd1I#t}?N+x8U8YUTzfCys>XewGAfs;6Y5%WGr{QHM3{7fYcJ< z6%|CVjqWF(=u0+C6-!a1?@RT-E24;YVBF0OxN|I~G(F~fTO&HI5F(E<+1 z&-^&5^y`*LYfT>T{+aJ)yLvp|3lS+Vi(p$2@t#FPPv}2-OVH=HP%fxBcTEZoSw)?i zj}-ObvB!Z*=^l;hGVbs;Dj(@7fZ~|!m4G?!$hjsIqX4v2_$mn=c*`#cG2|*c9$)`9 zrXy4xIM9{us`I(kGASU}LkVKV@|9$_T#?TTi$Q-LtmX;cg8cc35I5u9kMmMEd*xEK&fUEOy<*gH`OadaW6g2p&LzX% z-t_tTONRD@)AY0=4wVCb-@8)P+v`jq(CY|;D;Mi&D{7WFc5 z*?N(4D@MF`!PD48LXnZJP=3}ZAO*KAebh&Y(ZEJ=@v*V7aghI+hCWhY@#jR)LPM$_ zW$2UijB^u)_qzX;WuJTe-rTqK!g4QkjxJ&WY#+z_gv|{PWD4?T3zqdh@&ngH<(32I zsl6h;f2SG`It3_flakUBr|okVc!(*+qf&B5h*Q-14^HG7POA}8?H>=ZQfC}Cm#zsF zvPzmZh!K2sa*+`2eG&-pscqig?0L}rhNk4<{=oe!i!`k@l^o@EPO+4Bx+$%d^^r}B z_V)}V{)jBm4wU|?@(}F;`V^qBr?doTM?(-Dz)Byl)0F_6OqZW9_UF*Cj>%govsPc_ zRk+w#R2?m+-&G)W{2^w_r1oB{D2zP)r>he5zLE_!e>Zbb9a}R~GkMN;Fpuxh=<0f1 zgmfOi5NOPyBVVWcg+gt^SGE}%$PMr`w}T&4HhlrrFd^C_UaX(kyJ=6@j!V%OEK$scX? z4%7mKNyvElZQ*?_65qh#E;p~DEH93j`;XoBR6rF&GPC}_TSYd$FCWXJmq^5lK z;yz~s`OxT{y|r#<>c4ro#(vO7J%V>oB0hvq6n;ZWn}YIj33C)Twwr+7M4uO`!M=&% ztqSF9^bse!;uLJmh7`87nJ}0&MTZD<*kaV8{a!HYI|8kZQ$Md zy2=8oPz~4uc@4u_&jO`)PioT4`8Jaq5Fyks!&zUgwWM0{+$1k#e;)a+52f-M0rS_B zk5Ff8X3`Ob&cbw_KKt9$&egedD%K0O(0@du5q6W2+_s)U^HjHc<~?i|^cT!?B&IQO zIPqL6m1elRE5F+6C>X@@r+TT})=Mxf?dCH55Hy67WiOXITq{-=Hkc4Pni5sm%dX1n zon`!-pqWY5&Zfx2j-3|_AH7XYlA}14(nHFPS6oKww4!lN=0=RE1)zNdUc#oA`gmZ8#%NWk$=*TzrsKaG${PT zm2Y>vsSVxnTii>8CxO0W4ip?_B$fsj^%N-#jaZDzCLU|z zt9gdj->IRZwS?`5BqPdj-_6I-i&V%xL2HAD<-l*!zsgM29 z(C40h1p@9KYB}VQ?0``EIjM2XUOHFhbQ)lV0>4Sa(y-d!Eq30=cL|q@$FBy;q>kK#tq` z&SNo;Ad(v06_ln^%q{id`F3(ZFhFp<`wvz|j-sBsxqcbs--OUhvDjl&q|N5#^?vfSD=B|F|);lOv9?sRvB)&M8zdgCA z;C=45ey{U#tKSRZ5EPZtOf;NDA6I65?#gBe&G_T9yZyRwdR#N9x|?@5SZme6>jyWa35>qg_X?hFhZ#bmVrx z&uSfdt<&6%wFu={1qm<|(jPBsK4EGW_5(MD{)BB^yQxkcy@j`2JOiTPDvy+5N|*(~ z1gE^vj~Xo4Dvgu&Gbybs`8AB|S!WL487iCndvP;pP+n2!G&itWKG_w!-PLfk8$8_o z{G~JQ!Cys6A_UW=nnp{T>J8+w%=%{Q+2>_t-rC(QK`@)&P&@8Gq0ZAPlH^b0zCwN) z)Xk`JIL+!O3o*lQn3Bjq%mLDJtqfV)=aecr6(VMeHnb|mn$r;@=O<0WwD|7!ZN7BR zvvy_sPmiKL2wA2RA>o;lk5sCw0H^pZoWL z-iWr;_4-!$o>ng+3_kB;GSqgXa*6qiEgAwgu|=0rTCE9mqlL}Xz>+kr3Hgu?ho71? z`Jw2lZq&C>B5QW(VpaQ${1pEHYJ^IyvIqawnd0bpV?Y`xFu!X4CC-@MqWpCMK8Hzv z8y#-9+;|Y(Bo&(wf65?{+bdTEN1pKb7FM9s0b;HVsZ{;a`+pyTE$*c;L z!tNt9|8kvOX^hBS{B8h&@rH=z2ER4`^^r7AT0XhXnJLv{ILoE##@5t475=dG2HlkP z<|aw?IMdmg)1#C!d-snbExp@EkvtPDi^CW`=n!3nYqgV}a4fdlkjx$JfoUy#GW!!J>RE-M;og`UYZ9 zt(_^kK~$RaqN$s(Us#?{!gu*#$Nm8X)SLqr$Vd8T#2I9sMOHjJx^bc|#n(|7`K@s9 zu%{-7xdLNTnD(UwMTL}~jc?X;j}<(j5&a-%Zmlfn^G}4F{#)BOBVJ!WQ?gE#mYV(K zqug)u6Zk z$SkkssCSk+&)==*)zT0booUv!Hm2kT=Q8cD#E%KOamC3W#Sn{>T`{Ci{wx{ysYc@> zZstx=8cuBqG@pbx*+~Z1kY^N!KU# zw1E0!>>#qrou;^X3&(dpM~0GmXzgW0$7HE|mc7C~tvE*%Q=^6!b!6a0oZuCj^i-za zXSBIotyeqSj7L`_t^*s?T*{)eoaj=hO1;}(Qz_ibK}OL}d!D_$QTR^~=EZlUp?6Bky#DAS_?7k=&eDZx0hcT;D z;!G~9To8}&utK~v2s9-*kz71nTwFX^sbd6mdVJraBGRu^aKRDTy@@|`BWZDOKV8`; zKW$TP)vEih?ORMk+)!~-UrgSn%UI9|1q*=KkU1FqCEMsf(7j@!M#1-v9M3!%A_6HZ zHW1t<2YWg-S1qQGXgfU~w8S5d7HQK>ON$k$%rn`O!YKaMy^x?l@OatM(AP5A;Tx`V z1(oEm=QpZsiMV${Pg4bWK^&iX_8@VnfOD%JE)yS95@cZFY-IMYY{m~xy#7HOs>sR$ z%4*G(fRMZ|<}V*PU)Ba5+wUp=5lvH`>ViL=c4Oxmfxpp?`Q+kg{~%fE_u?%k!HqZQ zEaD5<2Dha?HFa{8=a(afFAvGlJT&#oOM9g|ajavgv}2rRrt@7=T#ZuyKJFG+?k0Skmw2|`hA!xOu>C*e^S@F^o;bwAfJty*pdMr9hyNeHf zh7i=CiN%Tnoe(u3iNZnZlsZ(C%Q#=OiZrD7x908Yhao9ryQ{M)Q`@NRI2T!baU(Sn z4h?iJcl}fXLmb~`pOU<_!i~@|rRsFG>Mrb>X!1)I(D& z>a&+wzyTl6D;|}*TFgwz$<3!bU7wSh%%QtF+ayBjFZ6~SN$YbU+?Cn+N3x<-A|H^@ zSLVmqZ8ciUSy3d%2Yo7pNio}VD0bJskK9$|pAL#BtMmh>AE+A_h9%oi_Y2QNyO)Bd zk5L7?qy3<#F{rHmfZbGKm@_v?IU-UWXuwp~|B%y;Qv3e_)+57l(n?81z`}+w3tDy3 z+WisaTAs>#0d?Nx=t^g`Jdx_+`Hir4L%rC3vIAOgJ!=CuPk)ajb@Q zy_@)nq`y~}lDzB}f41=Xw#HAT4DJyZ6g{Wg^7Weg9I>K&e0v{YfGNkh^ zTi-Z%YS!|$J#h^G4Kz0B?uwac394chwy4ss4!BsDX*L)q+9nG0*?3nmOk&7iH$7DP z9(Wq|QKd>0$s~pI9tt|ix-L<@YLokV%O?1{ocwjnd|wiGWm^sDvwbsF6iF}cn4ZE; zsKlO+NRYr~Zd1CgH4bbwo4X!ArrQ5Vwo^HbwSF#+A15kbB2Y_6SssAFcpZX=G=TBj zUW~T`aL=u2G$o#RgzQKN(8To9h262bnuP35`4md&=VDl-XsliNH#r8};S`4wLTZ-D&}aRl*Cm?0|E)DXci=c zdsHY3^ZE6EZkd&IMSl(~Nlg1hvT7-MOo~BZA0^h#rmrZko)VN3k`xXJ)2jm8Z2E-;`){i~Z zHvYL9{kAnTG9x!MH+`>e{B3PQWN>8mv!>bqSLgkyANjyd$vxIK`guJ+Fd#8F|F$;& zX>(@yP2K1tWsB=a`f}HUBb&3I-p9DH*>@Z3&*b<8GXBdBJ*G!f8?%p0mi(gU0}=yE z^A}+9IW{si{i0_2g`JoY7?_&)R5vyH5dRVXz8-mqPyN`A%nS?;h`r3`rP&YEa@?PvGMnC{;p?e_B)=RtoXIBn1S)THaQ_U@Cz?O7Ir5=lY;|NBjYb^ZuE(r5gZwi z8T!<{WY5ffy|4U17m*tf8~9{@-N)GQP0Z{sZfIumTX#?IQ08A{Z15-kU6*~DuWV}c zV}}IIObv)Vy)TscXJ&5pIaVTlzyC4#-v9BCjtuj6d}m+RU-*0W6ZiWUpB(tqZ{!2~ z{rk7Q?BD#4e!h?P?`*?=<7Itl>^EKc&v02E@5gk(zvC&L_0QznY|7v9#2?^CHvRAZ zM4uV_+MnV9pYEGH@5-Nl>F;-Q z{O_v@1DbmK&y#&dT$GJ18L;p=Zc7^s&k+;^tP)Qo?!v*W*@v|p2R=x+nL-O8?#aNL zbG-4FR8GKZ%!4`^cmBUNiKWU0V!jS>vu!iQBgSpItm{FaydphL8MvIV88=R-yY_r% zQw+i5y;DNzkG_o;ZM@KtC$0=1L+zZiE8;g`#*sFgP#Mae$>I*&e`<0Ybu4yFc_dIF z1!~IDA$LmsZShc$6IE~DS=`-wiCeoT&eSvVVR|VN)9S4^3vQ!H|AnzrJn#{wO2tP4 zI;Brzqwwutb!6%6#RBhSUo8T-p#00kt-|h%CxVcLaYo#a16pQ+ z5QIu1fd3@ko?^`SuaOEa2AEvt;~#4r?4(ZEl*paM;6Er@Woncp@)qjCAgR8Wdu;sb z7|(7~;8H$x3O9+gI?Sb}6xU;I5cDcp%v+UJWb=&{6>4>~YEWNPQ?WB;g2(&l(RTd9 z>Y{NM7=2h`Iq^p;+ZRWV^B{I)V=UtjIjXN)yrQ*eEiSV7hy-&o5R~`+I;?OYLY3r*mn2^ zDYS?7agww6?cX$To``TMCV9=9ZTIrs)9Jrl&NLE8LO?D3Xo|C=wA3@>c|17D37+}c zx%B0SqbR;ra_~cA|1*yAa~{fBaZ5dh@4(RUz9%QsTQ!^xd(0rk@C1{ty;Dx}T$%W< z)WGv-ZHaMA99+z<6QO?Wx>SA*zwm+6k@_28=djBDYrFF{8@#`2JFtUD!8_V+{cnuT zX}jH3{#!(Gi%@RRPL?&LYc#L*U{7)-97~?22b(uYPq?McB6|+9@bb%4Km}=a|920K zIIwu{Q(G8Ljbr4yD1D_s*(%=i(yQl=!_!A;FtT7?`Wfxt&F0BV;u(2p^}g;J>7Tfk zR8&D4Nc`fKx--@S7FAmfU4J+0oThhSz(2<`@MM8r5VMrVN%^}DxtsM*ZY=PJ2!+LE zUqr_;)cA!~3aXda9TsVT>Eu$y8BS@>MkQmUM8Jxnz5>EdJE0P7zB|Hn=sA*! z)Yj*axQ{MRkI1E#r;=>a!X{>bX@h7t%DL9-y3!JJW;hx2tgrV+2 zBeV#!A?t2%{tiaKN$A5RMl71PiUBKV%xUkUcZ)T#DaE(cc+ zpx_bSD7<$pJE|(-HtZEL?6E`4cSdoavB$6N@oi*swFhwsB|N6{b!P?AZiVdA*TB+G_d)%t{Trq5&5J6&(i@zy;%Gz*CgZzyrmH#1`b!;16(;$hg!k?FD_3c$>RKxk6hi-X+^4%jO(uF*U*& zAH(Mnlr<2S_Py|6>_ze^j*XhHUDjQnoT2$5Ktd+DFw(;E4yuzegQpxaLgqE_5+PTu z1(|22CZ3vwxko`*o@&|BA!m(P+y(-!NVd2a7UwO&^+0Dug{e3^5m0)h!Xv-|nKgMj zX=#E&49Liy#WEL#e%zwKPnp=i^K>rX86mSAK1`Q z1yq@La$F~$`w-(}voivCvur|?qgHq3fJd}PSqKH-(Yx8_;@)T-v^Doc=6T{ZGm|Ld zDzKgob=%V0pB-qB95L{+Sd^rZvHsIspt!@OY#!tX8&pRPX?+T2M@8sJKjQ zfWmTy6vi6RV2L^j--Ydo02dY<7sBE-L@}+}+PM8EJ@ayY+R+{(!fB!W%e6wcbAgt| zX66RXiNUCx6lc^mDTI5*ZOIWI>MFIO(KBZzDlS3`GM#sjtptXUU8HbA*6*gFRQ@G+ z<-EOGb~ikJ<0uq8IVc(hF$DKtC^M~mo9y0|j10o~IR^`-JlEQj(Xmq0Ike_ixIoBL zBEMNFk!FR;Hbx|PEXqOIB!^HM39)TlVGFJCk|TD}%Bo1&y`s!pa2vTPRP#NP$Q2i? z%6DAHacP_vMqpgWlGQcnud09}4ICOgfPugUm;-N%_P>5QSOSnLVM!OG0P{2?rliwb z>U5B*0$o#QdLg^AHHh9zjjUC{MBQAPZ09DT<0LNgOR@#zhm=Wa-hjls(#ePyZjPcf zvq1xr0WOiBS9wr@_DIxUR6C@Yl!0kRbDV;A3cc|TqWAOb zg4&D1R}2YP2(ihYEC)pKaT=ZQHhO+qP|6eQt7-+YjA;cQR5*%~@4zt(TRQzHxL8a1rJ8kAM97wZTEs zR}TXoQw9U3cYvMQPa|UBLwktjM<*i)YramE*(n(;+tk<1uK}LX$Sp$+3mS-;2@CqY zf_PF;KPkD$4`?avn4r(4)U}lMV|G1C9X!Izamp#N6WhKQI-#m9?xB9>(SGS>X2dt+ z#JdBsOSMI8_k!aNgsOT{ksby$gU|KpiM(9~v~yDd)V-DE?-kq2yfzt)c64onyd?O` zsfFV;O$6AZgRZ09qV~*k$FrdfQUIx+OZ#*cerCVCEzZ6|<>p7mb4b&^V^^%`Z-O6{ z%K+25X(zZWcS-ug*#i8C{+Rnvq3b9)POL6KSG} zctl5`BlEV-Q#huH)3B7D47pIDJC<4=?a~p$qmXp<&jA_u07-l1+3PvWWfUeg=`h?% zniix`3#+5k*$T3`k4Hc0#nqgkS#J&ydd`XxEZ>9c`dN6#%$+uo1QL=99s(GQp$$jf zWv;?~pQ+kDu5Jf4sfN!9u0K}7iHJPXx}pOq)t!`4=0MiWM{^0jQv@wgsj3VVhF?lL z9phDD6;@`r7VQ{8H^~Tc)){y0@Cl4!h^=HrrJ7XEru~$YD1z+oU_$BCLGt(>2)`}V zT$gmS%oN%l5w+@FP6awjI=EHpAE{S-Q~l%5Rl^RG!NK9{iVc%M_WO;B7&jZC_r4&f zc?JEMgjrbOy?I9dlS-O5fW&4N1bcfGAln}ZT=^Z(dqvBY9F*XmKbI}Kwy|PV2{IVE zM5xJ)Z=7&t58a3WEi|aCGyR?G4FeK%qKYym0{)PG1@SsZiy#7Zo;W~ZT~}>AXi!5& zV_bw+2qQKC#aMJ0{l5!65Q4`PHIl%i%LBlU7_`83YD*?B1 znV~rWjHn9G?>t{HI6&C}oP_5P`T^^aM*t=E=XOE*c<;!ZAbX+H+ouZPdp6!x7kW@j z49~m{Z2w5>O?@y$c`m(B5DL&V19tGY51e!3Mq#(>Cs!2WkoND4lpWUQ&YUr*VFl-0 z@qP|DEP*gqANYmgw*eg#RA2aobt(u5d-MHVS{tl>v2QW<@Cpdm_Q~&)pM;3;+dlNH z2IUVBegSBXRxHa#^o{lR>B{%qiKWVOhlW&Rt6(`%tlBw02OmFsuuwi^Y29o zKA{MLIk5uB_CJN?@kH8ybS~Rvy*hpOF`qLpF7g3B#{wMGB$BBkW7Y{4zd`$QX(?u<(r}iE@@k9bL^42zs-?pSS6&Q zWLIp|6Dj_@-j+sjmk?+tqu_l}q7ng0Y@lRKhntUNb-!|ug-lApsj(@f!|1Y)1yx9* zRK$tr;N}+SYc|(W5)&h|y&o;yJX{H^uduW)3qAQM{h@v5SLW_uNdg zvu~p2)miEKTItP*HMZ(Xu87_`V(JF|;~7;%;%1;Ku%I%-eNKyjN38n%nE5G$>@iiOVr2wI<2%H_n&%tPuapZj*9 zHU>xa(_ifukZN+5V;}dcBVQs_HK}-?(3b)2U5MF}Ky2H6u&#_{px{R$Xajw4OVvM*<&yK0a+fpG-uf%_Kch( z{iELqx!WBBGBO{JB~L@?VP2ikZf22{(6pNG=}@FHMK1neR&kn}O3KmzcnP4kr zqpKl~%ACA6k`N&h1zpChi+SXWgE#>;e41T+g_Om=(CFNCNs%tD76=jmN?={w?P`=} z;v;^b3!TjrNzlTA)^n^L=|(PXRaXS* zb1Y1=oPT1ki41_*sD9eTfx$j!5J8}q8U`f$y$nK05(E+GOE2gNuxrfSqcb-_$TLBf zMQhBnNR=zCkhM+iT^eEszWYE()t9zBkOyn|!Lm};nHX%B52-ty);*F2(6nWL0T0c5tR=6C+%> zIe718aaT61*xeAweY{}-VRiv!W2@xq-ql}>sR44+{qe#UW%aSK_ z@|V}$4hm)`7<~H{F|EF1{z$7iW1sc+kSVG6F;K>PP-<+foO!`?%SS67wOw6s6Nxe3G*;GVi?X|DqQlp^QG;=wWU~nM9*MB*` z$+SYhq~0z&b@{gM$Yf}Lp0dgW4H1+(tUAsM*8KS4Ji4-LvaH2XN*9=X)xgqm$Z)Qi zx4`5_!GDgb4a`m~A=Igt=b}}f5wk7Wtlz(Kqxv5S4M(fpko@h_2VpP;L6$FZ%|L-i zTULCdD60|GR36I_6j|Y|Z6u$;PP;aGH4_$ab6VP2wI}oH3R%4h+FFS@o0@R)53Bw+ z!ZT8YX$lJmJCGWp9;1Skx-nrp`FZ<*oDzbPx4W(-iLNBpSW`=O2p^*_tMmXXE{{2& zg_)@X5=9-9op)JFCdUMYJY9B}Yr|}W8(I}pCh^IVq6dFt;nL4mENn;{drN1gIn33{ zXdj>BSSEUy`6h?e2{>R?_?nW#CkqvyBO2i{!>j>h5vNtKqFeC~Y%89P`I^E{renIM zC-ktU8r@p@qiFb-8UGx1SC^F_<-VZYnm=x}z_EZAl%>Bhl{%Qr^5zo67rbk)=JWSR zn~hH_1joazsV{w~p>u25E=HKb+5|aYKJ&qVk$4u+SZzVQJ$e-#=Z*jMnI58l@!}IT z$SXn%z?_k0OkN{+!WZM=8l&v*AuNO2`j6YOV?s8}XINpy8v*`3A}ImY2NRaqvmH=+ zhx>vPS$_;5^$<}5PAo~V#~-w3(I=gjw@6n9d# z5JRo@D;mq`75DQv8zab%zpl`$j8+QJ5}5o)bFA(4NEP!v1Ci{r`L^tCdbpSZ7}tT- zH=}U7=8^#oP_!2EdP(1jz~c}7rI(;0lc$u?O)1JTY6StsmOheH!T82hu6|J823CGU zm@14;8sSgus77XnCi2xBv^R^*U)I8Bx9usaURVwstj-jKIs$>Ui!|SI5O1ZF-$g>!O`DKTTbTH4>w>xUHZSDZS7=3F70GR5#3Bf zv!hdbVxqpi4FxsM-%PLdy(Nb3m%9o3m9eS4nt`XRvRrvqmsVa-b>Kh<0SB z4Y29MS=MHsJyQAPLVY@h}$)}0r+LBSHsed9)1=tWfw0y<{!+dfhSOT_7xb%9i9$ z!=+!z`cAqD&1pJ>EO?aNU!^iwkK3UpN_eOk3X(iy7=l?JMS_=23CpMb0w9$Z0GfdW znr}8>%TVl&@O!$nM@NMD{eb9IK0{ALTyU^V#EYj84zK7Q7|73$b_X=UxAb zTdF3%(&8v=EEOe%C*_`e^LO=`>29hBpp!f0i+a|ta?M^jMa7SIDOicI^)~o-%%K ztndDQo}!8<-CfYke}muHngQn{Sdp?kFX)XDr3#b=io;xk2e^bNxQX~jJDQIR#aNXn zo0$mmsN^;!&qkjgT))W{#N1bGx5QeMyR?SZ$~Ly1K;Dps+fReU&^p!x!(N<2&tdLV zKu(`TiDQ0gA}S}4kLwz3*`g1vHNY1MzN<^Bak}+({CEC-Qqy~T2oLxgeZVnd1*YBZ z4B|H1BRV`CUy%nZ3Zn**LC_=kG45M~`et~z10iF*TQK7eg^87Rc*Oh#Cf8t~aq&I` zkqXH_K{`Q@s--TX^1SJ+_a-~*Hn z1Y6Z9t$2||7ELT%d%MY2K6O##$X{`4g1-^wFFo2OB9k+!LB`yc(P;VIZP_C%BXTP2 z$GB>m3!=QsaVem6lr<|UE%9{OEfGMDl_|&Y32PA(Inisqt{4jmR%?AN&*2a{+z%NIcpc(82c8fD9KC2#6#AV#~(l@Y1)0k;{j;&!$l znJ1#HarULfOh*(A$K~f2v2Od{Ty#W0^O5%9Y!LW00i66@uAN1*VXS$7QPI{mr+}GW zKH?ccI*Ci26BvVHoD_k(u+JUp6R4lL%tcg`0XmiGUR6|*z9KU>8k^hgrJf!Y++BW0 zR}OdP;sqy_rgCYho;U8jEBP=$qK|{DfDKBIQVsc~<;@ZCNi;Mo;a0fx!I{3#x?d@(mJCozf zZLtX@kOoFkEA9=g;ysYySp$!U$ITc7eMMnyL~W{~NI9!+6ZRL5e#`SmEnXM9e?m3D z%&nlZ{g^*3XeU!7K5>JqsqEQP-mlRG*=MA;B#?BltchD^O_ujv%li65Jd;a{8g>s@UTB$eUd zw;sowWAr?i#tY#Cj-qt$oRj^m|4lIRajlEmljDGX{GO7}$U~tP%gt-@Q_C}dGk$w8 zV>GDA8sH3Ys)#iSAgTKF@zO0UJUSnL4P|HUX*F{GHkdlTITgH|w?3E-7a5SpGmGX{ za`g4qlK}5DN?8T(3#_?oB?By@V3u5+k>@S~1)uPo{TZ=`#Zvya@*0b^y(Q;yh)2ak z!S|t8`n$Z7I;!;iY#mDRhe9bmH17S18Q;(ZlbA^O#64$pf+tuJGl5A?VuXYVH6m=v zC?)RS9S@z*kL~ZZ*T=2bN1vV3@6(;!*>S#A^~L6w*DTBG?%I`)x0qpNx`#&fo>;R` zkY(17V3n1V*FSapI#5~Th@FR*t%rrKe@O|q;F`?iar*rOx{AmjlwFkBwo_R?4uU+5 z(n_jPz&f#0tbk7>5E z6N;dWMp~^B?Dg`?p6wrYjy@ZBe(s3^RuF@ZR%8+zSH;K~=ZUc^)W2FEzuiIA=$)iF z3u|jzF;q*s3@`WHg535m)tk;9MH-K(d^GfqWWQc4fdX=CsBGRax11~o0!eX~*c$Cy zJ{<8&X;Qn+d|qB5zmGDSNwfrOJZt|=_IU9UF_IiC8>*>D&alU2DhezUY*Z|Lt6hOS zIERhC%85xzA1jj;Y;A8VchoK?ibr|07`E0wmh0aw7|}})M*rCv;jV5hyRrLJw6z@P zx_<6AE?v`f*lTF0ekD?=J))-bN$@Q~-=?PQlZ5=77p+Gw@8hQ$EaE9tOpZO`#F~2~ z_jhSjB?BwSmDv!d6KYF8H*AG;e@X1Uc&C`}TzF5=rHb8>#|xEO6^^&`4^^^fIb3i<;vQdg+E$dx0vMqBF@m5c8rn>$6kshd_Iwq1r$_hOsDTzd!Cd|5HJKZx_ z=-#t8iX9QYxv<^J>>8R8BEf01`PA%dI9iYcehfcqWs^NyP_j(;JDwVz1=wpSEK3_1 zMasKJOpkpAzj~OcxHNo7W}wchq}=>l)8D8`SA&jbGv;r|#;Q9gXeG+hyhtOa>MqPa zB`wNke6*ed5mWjw7y0Em{~oxv8@$^Zpg&kIPrlBsiqU!U;M?C(m_Df55?+Pku%t-b z#^vYGNQw9L3%P^AEKWn`jas%(DEP$d59P6*`SgCuHre*eRJ$Q(d+t7%h9 zg29S9hg4{IKtV)<0=<7p0}q4eUNTF~K|)!=`08bIPmT%ov}f++Byq6RW@4j4hOEgm z>)mZsk|vfiPyb!{scQqV>=BD(&eLt1oV%3#XH1Pgwa9LN(IA{gvt#+IBS&dUB@rP0 zZ(D7=Vw)CfP4VtmwRQz_R*+zmd)kg)g(G0YJTU~*=P|TPMckZz_eT=9va)j8-DAeM z$ZJJN4Lj&eR{}xdrOOFAX-bR)?Swr>8pg-^!h>W9`6ryQMrh(x5vy~euTk8~&8Ncv zRii=A_~y)*2xD|5Py%0N0K$u3F}mRsLh9N;iL1(oT%^Gc@~D?CYNvbgi0r3*#14EJ zW|7J>Pb=Qq#Xl;3e`>l&oL} z6V>0aw#4O3>^D1LUy~E~jw;GNF2f-ZUscUvH{a4Nz1~N4leVxdO~4&(EgKIFhT#|B z$n1iO1*B@&@8gha2K)I{Y0 zz)e0+GQ+_JGMCWo)1ZeBW2gO(nxz2O7Np^8I^W)eEJIaxDPYEL0hlzni=4AzVTNG# z7~>p%mD?nNHg_B3Yt#}S_+t0Q80WUd8@y=MKK1Fu?Dv%bP@mKa8=9nUfA|7l9lxCh4YhOcT1bH$0WK=1s@(Qqsoy z)z>7qyOUFPAKYS7&S9Ue%{d~IY4k0e1+*#TwajU>r+kddwW}>jH6KIrX>#`~Sh_k2 z`&6-}pN1pbnOGYs0$2YGw{PDZ-%F4UoIb4Htx?&&+cvpKH!skpjoDO96e4T zr8f3&k@(C#+xb8If8$Hix@#96oK??liWIE`J3=GXTysYcBh-}Ai`i7-Vy@PyY42`YB#9E`D=-bv3{x3 zN=#&MsHi=u^gn4_&o`BAp~olXlCw6AwFI)x{oKiAV3|eKZZ;^>;3fE*LwdaxpK zh1^AidV~f?qj~m z$IX>FV924B{tB}j=Z$-8BnNN0bTt#Agx8lJ#)V|<0i_Pvkvu6*MCQ4UeuziniHgtU zn!9jAetB8+y-80=~Yw-5G{_ARY>C|fiSlYrNkKkS9eN_Of!=H4#hmKT9}7w$3vJb^=RMp zp+bHxqK0q1ZU{Q3#Y0pz-uB^#>x&Y;Y$tsFh{G^D?OwFrMr^(E;I$F$Pn~^J!D+>> zp@7$jSHa))p@#4LsiXX_2-mB2{O6iKHBzSKE-EB=8sJ#ZJ5nGkL4mv{eO3NLsuZVGC#jK6yTsuD zb$H$0;G_VL67yu(+d-#HG-`a5-Gz)*jwFdT@t=*1&;3}^D z9RQpEd9SVOADQ&|&_xV@g|(8t@_nI(^3nYXy!{uZ#7|K<~w zcWe_Hms(UkQ&6>k{`m-Q`blZZJyC!EqhPkL7N@^VDYH640@u`%7YJM3Rgu1WXlOOcRsMI`@yx0;v=2mZ& z{%hXomWmAL<>TGyz5gRvm&6laOOxwwZ(Ji$E;R++=H}~Kc&Vjx zpkLc-WWbN-sW%FVi`s3}t~V;`?+=fZbkpXz8e{BA6bFPR@DT?H-9dfUsQ-4yYmfT) z(@6Il+Ay;k*WW>yVx*b~PN$P3r(koHgDsgA@s=k0MKANor|zcO%OPnh_+5nGrj~;9 zn#I-Hw_P%J&+9Jb6Nb)CIhWRx>=UYcI=s&Qvxv$ctDoUzosw<4EKOtA$=%l(`k{}m zmXYHk{YFZM4!a-0;7)qX-p}>Oq?}E@&5UeRSgQd+OE<9{dK z5qDW~`G_^=GE?Hqo_Cqr`~I|0T)8}AUo%~2&1#}*d8T}=P`-wrkm2H(1#A7LzBhcV zJe|`ZR+@dA%Y=*L%XTAeeLfIokep3}gEly-1WiqLwYGtsh6n!T4YB0SvAN#D!gbJj zJ9nt^yGUbqSLM6h7)?rl-|7iX^(AY3(%r&%X^@l@T{*cGQl|Wanmb5cB~-KzkIs)g zDd~fs`WvHYuyw`Yf%cQ7=i1zI5PlDlHe;rLKG?2RGfhAgCdwIa^v2E$_`-u_7l@n=Mo1 z6R?R;)>25m7l^Yv&8(B-)iM7RCFJTxJZe%HXY$(id}DJyhM6(7t~oNOgq|O%&AKbM zKR=ZNM~qi|uIgO(H)G^!3Hojp{aCY`(BR#tgljDHheo)d#Wl~Yq_`_MFPKs5;;&S| zdZb?}DZfFOQgozN#{*SPyCiirT{?w4^wANIXa0A-gbpE1R+yW)yH@L&58{y2S4DYL zX-o0ff@;Q6@qbov$mJ&QN7c0r>M$e4>mKdXk`fh0<(*p;(ps5p=kcKR!iRV=pY-fM{ z8lCpvNo%wb9@aJC5K5s1wqWAP&DJuy?xmB=;%o4;!gWYw8|YJbqOIss8q&5Xn@OWF zCn5(PW}_6kPFP}Es-9S1&&PndMlF5m*1GaMVf}!9*3fD{2h?=yeEOHaOZ>)!)j#bq z=9T9L7o(ITb4g1}sSb-jPRAwHkZ3OSN)k?)WDlj7wcsaJnDQ48Ik#oGw04thWRvZ= z!|U;x&dgQ<@t0Ek+(IL4A5s>-mH?=^6WTbaVkRaV=#<=UmFr6dZQ_9Gmk!l;QkwU$ z`;JWC4e=wq=7_a=$Yh3?w$rvO(hZrqOWO@S7`aBmHc9U4`=yPH`r%vH9(dv4;igTS z>q;saG)(S+D&)A)ml;Xd_|mJQZLUMhv*kLR$v^I_!N~6GcyHEqbp!gx?mVDlH?Ca3iXGgY*PhcbM)(L=5IVz?D+sy2z4hA++i33;|5p8g? zvt<2wg^k;wU6)5cFWJ>{kFizw-s0OnfcnSRy`q(+>DuaQUU5CTR_)5#IWyJn|FG$1 zcm~MqNj)89gOwfbZRV!JvS@&PIv|~+Nr{O7%^~yb%+A4P?3%3fc=^&+i^OGDJD)33 z_{(Yyzes+&ZMkKI$NL*zFY}PqRvOeO8fd3W%PPUnau+;o6uxm4)>LB@+oHMIT9Ssp zh+_Yl@#bZhBs$c6L~%*TJN`S@_WeeQONWm+gDG+<7c|UbS}iuM@>C6NqYo1r8crui z_jpbkXS@?UNc39SOJUv^7F2>^sb><*HxHrw~_#r+q}BWXiYvDqBL~< z97Orkb!|Zzsp;-sbJgvEy^hqSCa23TZCoT-A?h6$TOZ|~)YA6O!De%(crqm%@<;Ag zfc{|m6ozB)F*UoaL_8)J?&ONd@QRd#%L(lyCm~1~gS80YP z+gOeUTp6L*d*lAO#7L6esbkX4tT*-fr2{;O80LL4GQ$_7e00l5&5X=pL#vz2j8NxQi$)xG@61&MN=SAKZ#JIm~W5=S_oZM$dYg}vn zQ+=YwZOi-XYZB9w)j0Y}a-y|eZrLfE@djw{5wNQj3;+4ut%ccO?IgyX!y~$O1@F{) zk_PQzh-NBEL#OQZQQxZES(1B)-HNA1pI$JKC_QfTIIlL79<@_^Khhzp=LsiwGXA`i z-)7x>1V9Qcjo4VNT5Zn0U0|OEZC>s`xJOo3`6(bX;a(<3#j@qHZfk=~ytDkxE(#=6 zhP}>~ug?;sQMPf$>cg#Th~4R4F&h8WHkSy9cheYtXSqBwz49ORAF)oJGqf)aU0yz z$?LBgYtQ&w|8MJkok5NpQ?PZd9jf#CtuL;Riw^*O{{{J&ZCseTw=(+<1-8iOrgg8E ze(0|JDlhfycg@;s@-5}gK~D{fSlz^4tZ%)odhPdVQq35`ne7hnn0L5DY`mSekLPdf z7VZshFK(2dGoan#i~Ft4;^?qOsDb#nqUc6aoL!)Ykic|_3rQV>(`T{uxT211FO(Jv zFHbaI?V^Jjnn3P!v*)g3bNsh%<`rdLwefSEclF%cR70Y!P<9*pkizGiL{9_PY%mz> zb{757+_{)gt_c{I*`yk zn0jRytvOu-J;ZiW-^c>YoqU{rE^n?Y$k}b!wnrR=}^ zh1$_39UayKt`wGsEhAx8Z||wQmM&z;a_k|wv|qW-kg(LIb^)(B2PEbz^US1gso6RF zZ>1W+u66!eZani}OA!CGTtgKv+g!eBCTJ={ z2cJa-T#hO5FT@+}Y}v-db8VqpxL|b?kkN4od1T&%CL(~BPq`Y3o}TTgHPFN4ep>40 zg~Z5PJj^@V{IfSj>Kuiad{I$4wIiu*8qY?1co6nXJUZClC0c`NZ^7}Px&V&=0)KS;sBDUx@t1>#d2 z$*?-{Y;Q07XTZBOX-IgN*^}y-S)?T5D7CeLlfu3XkbRn^Yn3WXrQ9o5R?cB2 z>N2Nd%BNz^o0vZGB)K#oGv5&Z^^XNs)3~qNl5@tvvqN21Yu9B!Cg6FO9gIx($xZ?6(%eSZT zkYgQ8eiNKrMKm}}*})44;Gg7A$w5~fj>!kHkIZqjNJ=RAS7oBz7PZWwW*!?vmjgXL z&$IaZuBN6Y`YFGGn!TUA!_>P}jcX9$e^L*%`h)pJHci~8K(rl`-ps9JsA~^Z8_}B5kbr~8xM`# z;ymO{A+hMN-z|9iaPw*^P+1oLbS%*XXRfKb7 zvpA|-83+N{5R1);xJ1iHt~eQY#D@Pgk+|7Q+nBCTDgP`m(Fz+Y?m zHF5U%Oh~UrFM+HpHTZ$HzZGk1<>Qk>?_K_2;;Lt*`sZl>UIFOB-y_bidJQp2OkR?IZidn|D@%*{D@?P$&W&XgM`!6mD|?{L1EUZBM~C;;yg`O@F25OV1U!a|crAfl&~Wte*^@HN*(YgNUEW zAw#LfnCii9<19HwO_9vg*i1XPpIb_=CwFRllwxV2V&zR-j+(t^C-kY<^t-SJouEnu zU$Z5RZ2hdVW4aT=xs=?d_UwAgtsTdPUG|m!!&K(vJ+m#L*wFeth#q1SA5h=v&dM21 z_9OiWsvM>QzO-TnhO6{GW8H%6@j!Lz{4%10dIRmGLib%i0JDjo$^u^1LNONJ8>2F6 zq(P5eBb+;F3kA6g8!J~JF*~VzpuM6&Lxh?^-R@u@yJYMEN8f1mn8_U<9uhn~-fxZD zcKBt}5%`oi+oK5|p?lMn|BN+n!B^bGtu33ppP9~xk1o2`#5b3zL7XLA8#ou?Im!m* z=q1E(;^a_s3AU3-R$qmsr@f>(@f(wr+mp;&`=L#)@qxT=+*V4&35ugFN1B~y;@+e* z!_VWqB^a=#>!Bo&pOT?>QZ)0`@}kAZ*A_ujCNt2sLo{#VfjvVBcQ@ zmkcr_a--h-?eW0epSOHNMrR)g_vz#>x|QxM%x_bppd+{`Gwj)#Be&fIKy)t z@TV07XvVa4p5|*PI?6_X(N>u%)HN!1C`{BCeun1^`98hVYh7_s?k6NGaKWI|acE-0 zBY0!^KuDykQ!jJxjCiwOks{S*G=q#c`p7msmA2lUpT!Qp84hoAt>mgb5igfc{b}xLDNT$?7c)aw>i)xIbBuFfdfAME z8WK`LdSIW6TAy0;d*)W!KAmK8nmapSU|>aQI|S`OOKrO$q{?J`!$vjfhvQ!HBYP!S z<>1t`R&~t$X)E)CPM4TYG?P@N!11RU*PV1*JD{arZU!?qYnqM=M1bvGg>Sl3cnjRD z#l8S>w!`aT+X7^$hUo?zj-9b|H$89CEoWU&UaqdbYTt&WsgGXEo4 znWr|5mBLS0_nS>ws}$E#xv@TN_eQnE zB;;8C9W*#|Xbo@~es7!2;<$dkbiQmeE_rCV+Mt(c8*jJd#*B<_)jL4dsd(r+l_UR} zL^7h`KRg|QlSAGHcgg@!JAtWGl&vM>=YCn-h_*h>pi|(O2FZ>>(n*int!R%Bh>z%3 zndTaWg7!e%VNQ-vlWQ0q zCUZ;mau@c|up&}d=^IlDQbQ3l4_%11qInnNepN5WfkIwLc|{| z7-+l&xZvc^)i-jk?tjo=8=lA6LoPIXv_E*q`lFJ2X8mfO*ePcc%y+`$Gn#$(!SWrB z^r80?FomMhDrD1&?ky*E0^9Aa9gi3Xf3dU~tyF6hMwuyq1T*CD=v_P0=tX17VlCfV zebs0jL48bVYW-zzpQhr|lQwnK*!gZ^K&mmve%Ab5-i1Hcl~pd)^v|fLO9HYX2|Vm% z-u`g4(gHv`_3k2a!rdJ4r#A6CglhZdbP2d+C%-*+Tgu+e*_ZS(iLU`=#pk;bePfYc z{<6}1k{A?T{G(<6vT~Y}V=V4S~D6;&x!aX0BT2uhV&*P7w6Xd2mEdt$#F=MZO}|J;y~I?*B6(1aCChwf1O%Z zduWSYrci@gbk0*>kiLD2zR5j$xu_j7)oL-YGuX+62*ywhr# zmNr#wh>o_IalawM=4JxIEvsc;rksefvhOkfm^a75mkxpTgjB0t%8=sC<~w)m^4HR^ z^t&{3EU+|F{_2pDPc<=g)V00GuzyXM9;w5z|i3Gs!5HfPPeN*K5xFCt+(Lw zSclP`gQLC$0dy1XEsxg|A1~{Q9Q~~^?pNRQ^#Hhwc?9@)TsV2E8uqJWhuY|ep5h&s8SFhbyX@c+Nn;hxy%6+cn zPxT>x@|WhQFV%Z%%&+o;E$%OOGS1k~4uG#Mz}+g0;1fP`R5xWLMCInr7oe9A2=GtZ zn7BH}x+b>U6|BM%?TcvP)JzN=neQe#Iv6j{^}Hf8BWjz$zWG4cYrbCz9CIIxX^4&~ zntWrUqsa(b4Vm5e%2Es_96v|u0;1@IxcDDLc>v(PcrywuB<_xPM?2z=-O{znyGA&M?7Bx1Tgv?5%B zP>1x6I1=|8BjvFiuUqRyKEef)k1}cjVy{JVt|H4CU!tT{kPB8OUn_gjN97$T-v6MR zAB|4|==D_@2oh@?*V@fWZvVEuF;YP9?VF22!1xuGi!EPkC69FEAqeD`5BK2`m^_T| z(DHg_;u+95hH9cSk&y4Sh$0Wzj0mk_UTK;k5}ULOK1Y(F=PTSC~la^{=6mPmL#CEts3sW`(2V3G8Fg&>^0qdjpTp^sR^V0qx!F@=mZ z4sk+(nF(Oa>iICgB5+RWIDeR+uhs04bojr}k3zrzZ1cvUJ+?tVDwiJ!e{MA1+G#kn z(baQ7b5fxTlAxX5g-z}Q>g&|?JqzUff~P-H9N}*Yu^B9Rl34lD??vD)^+M49;JZPk zYF{RK-gW;y^U*r`y^-5Ji#6S)`Kv?TAt8&u=S`S*^T5~*?PHZHAv`Y(OFVje>Gsxn zk=^MVFZE5-=`megMS#QNa{>`=!$6y1<&dVfs>?tfx0Vyvt4d7WHjbD3Lg_QGxTu*c zE?$BlB|iKHE28LAJ$D}yt#K}!(eaF|B?>v6rwidKhP-0}?#92Z86f#S~-KqxQ901%^n_h^fORTRSuLxPLaN%=wu6T_K-?$42c z9-|%egb*@N1LA=ZXc%)OlD{`Mh=Ju0gpCy_gf|oEPqZ(_i1K0QjzNLN5uqPb5-1q+ z#0&-&h%+1~_5l#+4^&6I)>HY$5W*Khh>%8%;j+H+ufI11n_u^upCO!~9f#k)m)NT- z#JHdc2`Grw^PIQG_#>bvwh;ipAof7CH&=KrA6iQfAfP9|gb35waHS6e%RPneH-H%G zuIJY+{>>f2yEj(2E64!_@+VL)t#C~T2WJ=n0R}3dUx0xF0_>sFA7KA~1hVh{9|W}T z{~rXl@BbeJxbOde6X%5CttlD^_XMyX&M}}s%mV;{m^(mRArHWq0v^B-1w4R55;y?h zKA_(nfPfnS0S^EI9smS9KoB^<05HIRh5hg>nEm{T1${OFDInng55jI=4Ch&msJL9zb+xhwd01Ald8FKM|Gz%}pF{u0W`6{qaG(lK#81I{>6glF^reFo^fBSl!w z|2q{o_}%5&KOZ;v$PNROw z=s3;`^XVH4Zzy&{DUk1}8$5V?tsi;|t;e{ek0%d;V&69Hxt9B?k%bFOQze7*dK>rC zK@aum>%;uC=Thol_}G6ces3okDP41xjx0003H7_9R54!)lya}N*z1|0-I`d?I4##P_JSXa=& zTwhnt&e%cU$=ue)QP;%QL08(=)KQniO;<@-LQGfDSl`Ip#@NwOSIpVm$oOB~#oX~< zQ(bX$M<-hccRD*GlPh&_Wn}fGoFF^_%Km`55GolV0w<9o@})R=?IjQ*5c3efFj$17 zf-)!j`Z+;R1*TM96Gp*Jd7MHAD60buAX#wq2?&%?8ufruYY4*w+H)Ka`7-{U;G0>P(er@G ze}-2cVZB()!nmQO4r_=#I9QqEPOz}Ydoa&&moZK+8j52X@(f^JV^4#C>?P@#JO2we zK*+z5$)Wp!0dYh_W5m;)#az#1yReySm~3WZWDwDGU55j?`F{3!#8(45ZEV&;fcp~5x`myL1p;0Sv@U8WY z^|gsaoDq?rZD8bs1Meh+1117qBlrI7(1%t)3m z)791jj83C7!hs7ntlXCpj?{)jW)pA9RB!(`)ag2243n7*NYOuPd##Gey@Ga?wk z{}j$)GwH$Nn5Z94x!(_wCP-}Fov}5?b^+_6>Ej=}q$~o};}tayiM)u3^6Uyuv^uHc zW&Z0@-_XNnteRC>iqK@MA2n!;h*dE!C`1sd@>8+k zZ+wSm!65zi>6ZRz(kcVT_p91^XjLwEx(}}nPE>uCp_Kk)PIBB}>65r#d>x~vE^4Aw zBj|wJCS`$yS>#a~$z0CxL`-4a`G`l`Lq;MPvBb(*rH$iRL$of}_O|3zx=M@Iv|$;> z=_ZLbYn*<1EZqAf^Yuh@P3HWrkSz+WDa&RT_Uw|#r*wt>_=NswT(R=ix;Lq--}*32 zGHr*hq@TblYSvf}cjZRa@0)yXcuXW^q$eY6x!I-i0m=5JSC5s{#tb_)Ve$|7FTBP+ z-(0-WQ7e#jLE}M%cLjRqZvLDLnD>qKK4FIjJ0hJu)1t(L^$$LSBD&h=75svmi|uwQ z*r<40cCTUA$f~@TAEI{1;m2mF-6?(ExcsP<)5`v1&vLq}IMrs&T8YxEZNIcQHl+kA zB)y;Ch?~`mopf|uoQUZmxAl^xl5<;vey*6i!fU=fW7)~7?!BJP4x(otZ7EGBJVS*R zuFKy?j$CDyIHKKttY7QJhq6$YSrd{<4f;>3gdS8`DXHq}dCS>{*4w4YglXgrjFdQB zG0L7~?Cq6kQJ>>uZbLY+tSB+;5 z0Ia5`XAGDjD3nbNqx&*HB|P4O#R+#|vMob{!$Lz~0yN^~w3Q`oDx*n&QP^RjaE>E1 z&P#DaBRzxPB>CjM$w!a`*@k2Tp-?Dj5BP&7??aZ5u%Mujpn$NDkdTOoFh&e3E+#4} zHeX75HdbDC;dk<~a&kCj?L|06EhRZQHA8hR9RiU^T)4=1sgdpyZ9SqcJP1leL_|zf zY@WFIJY5Aj1>OJkHdzZv3X3QSM)08&A+#ilPZBj*4=scslmH6Zps5Xo=HnL-6cQG} zhysUG5)c~2$A{+U6A<9%2Uj

kz-BfRqAZxu7(KE~K~)s~fxbu&|Ov)fE}n))&fp z40fCdX3pGs^JP_37pbXh5cLfVjf_n!t*mWq?MP%Q&CT7z)63h}kGaM_fE5_diHKYu zwIO<2e8Tn}iAl+6=^2?>**W`i^9u@#ic3n%%1@lEK6U!c*>g2@SL++DU2kk^ZoA#y zap&&6&aR((ANTbS3_ckeemVB)^_#cjzr34(=Y@j!P`vH4^O6MfLi6+U@e9H8LZR2g z4wC!=3Isu^s37|b{O11qi2Ry-A3ye}?4)e#-65;=FSq<8IYhbt6Y z)w7#D+_GH{F4Dvt+`Fu7yuhu4**;^Atzz$MTS&W4;DDat6;UNo(H8^u^qe6v6`Fpmv+LIj6X<5nqJTLT@pY*TU zQbw{`rQCa5ezF?$&3AvaB2pwZ2=bZ65S>>tv3K6MvGyvezbcM35rX$Jocq z-bqg!jMn#Y^&xNi;i$$ItB)l;Cr4^_edn`sFe#;>rZQ{U>;V-Ole9BN{9sfG5LK7Y zhTYy8EtRZxh(A9oEk^)+9dD5AO8J)(Sv|p1xIA7E*D{CrkNzY7h zZamoj{?6vewxS=8Jb1Y->I`MfHuNVlIYNaahXyZO7(Rql!0_=PtT7m}w|XL(?5&1E zA_{UlCm!r#MXa$dXbLyU)Aq#k5Fm`Ws^us1gOEXg$D$jsl$FMBmxKGDzS)$?$i2EA zENZVQU@e!+-$j19=zwW}x0feK_Pa9Wf$TuNzJ5A&Y|$ID*EPi@ss#p4?lQ|1w^B!G znx`|hL3XEr?B1Pax`jcpmN{3ag00R#!mR^mv4tzOj2k-md&t$b)xiSn%%_vSUIhs- zpkOID&0(*2cvlM}gX;<&68B|}`a|Qp18)EF=7}$rfd7t_4o*iHq4Om#?_0DrBelE5 znVL@7zerOGsoh2GZ;bUtPOz)g5pqB5Q(eX$9$yl)QoVgs)%{lstQV_3^ zDBUmJd_T!2{lJWDE@5;kDF1;R5ddde!S&-p}4I>hqn=iL_V4fD)XM3D`-22k0 zl7Nm;NdK-)}DgRolKB zaC+q%Vqo+S*<<4%_(wiCx>PjN&P8lIV4#T|-U#wrDlHFab6A55lhs*j(7!bD-=Yp1 zH{yOE;%Nbb&yI)`rwZpH6rbCtzm#nMZX?j-ZXb)YUE2#UXV=t~^sgEYOo((v1lvo` z5^8tq!<>waYWM3B)7{r^b-MVJa#MpHp#S$W|E;VSJL)c%CMf~gmTqns?CD4hvud-u zLa`y~Hx7GeOlP%rQ5k6~J|c-r=_5tXfYSRIRoZ~k<3Kt-=#`q;QUA*$|KE;!vAqTo zaW}bK)cL?VFIVAQ(majQCe?FG?I~#!D@UXbW^OGjYLA$EDZ8ego8l2jPd2vBC>x}B z9lY8iX94!+aO_vB%$ z-&BWq9@9f)UW+%4nOfkb4!f$yz)|PA0t7Apv*v_ceq%UMR8I~v&6V-$rl8jN#t4P` z+=xB2I8JnbjBNi7zW3XHU2BqwmFc{_{VMsw(bL1tUH%CQbIw;@VXeqJTy;Epb3ny` zu{8?=UhOavbXI^t>V{b4q3D~)ifJSxiOJ1vLpUPp(HU)$BoidL8Y{> zoLH#~RKCYVu8*zD#v#+AWVl$A-u2PgRCDp>BI%^?ao^(^6ziaMNdOVt`i`IhPI!K# zcSjN)+~qTjU>Pulr|H^{hOy?rr5S)Hh^z*WV2!Osx_p2)G>=4nw;}}pvjUmLg|$PVwOMkrpU-}IY*?+*Ae_D4zpbrEmeLmkz@r-b#h&`BvnFLbUzYOf za-b*CZ$+4P4CEyJ`-+0ni?1)fT))HVpmt?=bA9iIhgy*! zg2z$`utJ23L5|2j4WsS*$xbXlIiCnKRsgAKQ()qjrFh_q0_;`{FEiO$Q2u;DnXP0u zoLICk6_Rg}yf)TYb*(559FrFI%KDcOH(FP!-SLOh&oPEv|IoeGSGkG zONVD~R26gw5SnC>F~o*BO$8F?PKD}q`ASFe{wsaqpWVI6YXs17MF2wzP7 zLQu=COF*um|3+mqaZwPrabndE?5E-K)3QDZo+$>MZfZWaU(H!$ETbNlyHWees#?Bt2#y?=6KnNv&vN#AyYR7BM|s&Xr=tdQ-1?bk++}CQ=LRu0 z#H=k|I9~f&<_r%;WEe(O|5X?Tr72UYQ?Iz$kcfhHBt>f;jPyzaXTV5beEFzyZ8NNa zR)y1!l;@fGcnvTJavz^Y!eMNG3`ZAL?b=3_;7L%0Puw)~rzaO29Bpn9nnGUAXOs`G zFIE^b-&SOEow&1;NR^h#N+vTfKq{j#05|h^1jL)ow8H+fQ07wKLAg+3id>-Ay+^1A ztyouQjRvW#NF!){#i-@2bcfw7*|RxU(>rYs9WC#mwcbvsYlijERf}8cj){(HfUMF# zTzR4yn5=mtYMH-(Xy<)8%{uXwanIh96b(0>Fz!rmg;Z4HhSH7p$P(B%AW+q;ZP8v+2|k?3Dm6JMKkDti`aKSie&-a<{oYVH2Zmp3-)=vMKK zRaRbH{NYuPnV^+r{>1wZ*`X4ru9GeG4C4>?o`P7pm*8OOF|B3bU>#Zx^8)9Vh^euy@?w z#T2!7yM25CYN7t*u$eDz^@uLTxz0g&ZpF7cE!Ua*~s)OCBSFEw_JJh<=+q+it z6wRkq*=bD#1%ql*kL7ht@DdK(R~4gSrTuAX2VS;C&*;$AMIgW15<6nkT}-pg+AI2Z zpVBQ;T!8T=t0#I-Arqlg7=X*IRTe`4K0vR-V^T===5;*1&ReSF{Q`{q_{&`&wxI2~ zs#5 z<^s$p$qT*7pLkdCkWZ1&x_R?(9*3H6%0F-A(If_ltb9(zpG~rQBvwb!E_B6J0eqhQ^gQXw!&3bIiRYu{ zMWz)lpYpWq(xLX3{+yPGh2{WR@6BT?0x0CKxv8nOYYyj_bbP1d7DdKU|BV0|FFO;V zP8fE?%o|btGz2JG&ld;w_fWmJt~FKoaef&$2dOB__&~3gaTV0YfDMxMoB12 zIl3m_JRP8!RQ-BXJDurfkX8!bV}*D;Ay+&jC0+^#-L$|9AU z6Y|cK8Rt%`IxD7=E`8F!;X*?U$oM!*0H|WULOT9|*p{|rR#TqkkNG~6S6(jaN~fKZ zYaMQQxXsJUimtkvw$g~q5kdf)e|=os64q}g(0f;={| zWldL0!k$H!Ur}o`f2nSOzyOqReDe*x z^#WwddFDGW1-JDjPR7bA;Z(Yto!sf&>k)>CrtNEQP`?K+-ZHJ~0|*HZUlmKz!pT61 z!wXplygjN7z+i_#CJZ9W7p(!pkX==kF&uVSS!eVsoafz}VWwAQGs0KPjvJN`NyhT> zhOKKNemmG#UgT=|b%Lh3&fYH50maJV2j@Mrc%2Pe z_77xX7aDkC5l_Pz2I-7n-djL6&2kWy5n=XnMkZz&efbI;3XI-)WwI+aU~(;NDJel% z=L~0!mtGBV+g5z`nruT`XRMz+!33{c5DAHkLdHdkJ`mtFbA6D1=A=1^bNSg2eNG5d zNJV1W{;(#MV~5PRl$QPO-K2XX@&u2&6{LzwRiVXtr9->9wT#aljyfI;c*m`}|LvE* zRcxa|FBH^Ecgswo(_Cmf@p$_2{S)t{EBqsI2jHg>rcgZaf z>EV3KJoq(_S0)s;H<3~O14KTkaM1L?-$MjqoCALV7#$Xb5Ie3OCo?}f+OA%C9X;U~ zz_sks<2MfA_9!a{;_rseX?v^T&tji50LxEmfNTPO699!etpLVmF{5HoL7YpmkmDE2 zKO}S+eFL6_-FWxVssPVG`mUi(K3iJv=hubT?8;Kfk?Q(|wfpjKSKbHQV7p=m_dLA7 zEq-^O{#E3;1NX<`GHOR+5jAKQXNGR}xP3J@&b zZf9@nGyCKGcRvzt#Cs&-!VED6MD6V+l+JFgr;j&RN-HHE?9TXktaO1~qhIc;bLp2f z7#>ZuDrkoQr?|!Hr3p+bYr`L3j+!VTNXGdc{z@GVuAt@azXX$ zg)zJ@Y>DEzP1#}=hc9BO07_Q$g#1L@9-O0o`u7iQEGcg7$EsEhnLUdJZ+uY?YAL*D z0IC`>JfJuLT(PEoLg1MsWZ~)nxFS{fMJe7>1UK^wInF(DpBI+HU>kes_5x1&Z2!gW^}chW*AQ)44^Hw)YRb|MqQHc>MC1%Kjh6 z8i>n*rrA5PS(`YB4FQCk0BK@4oIaWq2`mo^o?xB-z=MhaBmpSt1jSyzUd_>WU`xeS zL`43zwSkB0A3;^4^#N6TRN|gxI|^=_e<kR3*r!)nJXlD5 z3rsSxH5wRfYgyF0hrGjMC2e`W%6Wrzs*A91R1C0A7=eevaQGz$j7xVnL{ek5-&+M5 ziLvccj&EE@bK$6TNjUAB(<-N>8lT=C2<_~4B@#Y2$X7TVwq@XleELuH7dtm>e*fl` zQFu!HBSuyDzTo(HjtvEnPcA|%TpRp?p+V~gWL{k*Bg-B_3xJ=+X6cC%=s)A&-LqkT z%yuYp($1TDA{arv3)h({&^&9;n)!SMRIb9U@(`)WWVmaveJ89k#+vj&`J(Xhm#{|2 zCl=_F8d0m2BAnM3bR~G5QHCk34Nzv*l0c9$kOYgs>g&&sF5GS+eo=Rsfw44DH(g!% zTg@`2ve9rItB5XO9pE9S&7XS80Xh!j;PxJLA9=h)#Z!3ouzCWIxCDV;0y=Yyux1e8 z>FEJvjk&pOc%RsaePAHz$s;(owH-Ow_-?IvK@-_S4lv;27`O&Cv@`@-P8t>e@1QBF0TzMCLPF0~rx_Dw zlpL{V2crn88oRc}pt9?swB?9vp#QbLizy{u3>E0L-FUQwqWgaqRz2Q8Z7~xLR%VDS zOSawHeB!ReAvLVlt(zNq7pgxa%0k=!xX3+=d;vV{{=U#!>jRa;(6k9GbOIIxo_g4g zMYj?_6f-MbxpY^S4{TT*7qZd0SAiB*Qe2fP!`z(O`C6j8W@G`r*jwq^isp%xA#mEr z{X|FX)tb@?@3QjvYhnxi5YkFI=z+(8&W&Cp5?cTj5!Z{55?G={0py~83u8?&lq~!B zgL!%7yGj$rDj+X$s@&Iw_gzvS8*we#gfQj#tn!n1LWw-=qDKiwgV7w21Z;d-lKE}+ z8ABmFyuq>$d3x>>)VTS%&ruKsEXE6Xi_tA@orr3f7o8Om-lGr&kX~RK|2)PlpiQ>x zm(x1oYGgyzuqj|!%kpm%OmWny6VyrrP94ik$w&gvlE4f*V<27dX$<4?8UgD_$lg=+ z6dp~*n&0+bUQ&KB{ssWg=|{VsbcYcMZ}}{xa-(fIUNSf#^-Wf_Q9zdcW(Ejz+qD5r z0dgeJXbcjD1c{Txrzt0WItZE4P!D|okknhEGyRq5{5s&ayxL;_Eie(t zsAU-H!UDxrVBcb)eWMO|8Qpw2v@nljhFX;z#Z6 zK3}SIZB70KSWi-ufUcwvpoX=z>GEhXGcE$`W7&D}2P8zo>)-6q zo+CSF8O8}?>#CV8=8?H_>GnPo%e&nfgHKw4>bwuA10mflq_gmVA^;At)rvpmie?Z+ zN=<0Mby|H}T+k|+F@}WZ8HL?2MgE{#$ChqG-5~%e-(H)rV{+A^g$tY)A6!Hpwgw+9 zpZpa~0(CxxIwohcfv)Y3A7@6=>sIB5;f`*2T#$Eg1IvlZw=nWFSo(&Tr*f%W{t2Wl zI8O;p)wHY#Qd-K-J`4Tc4~}BB*sRP{na7{Gjbg*xD$Dw;mLwe57!p8qv_aVF1lXeU zu+{lyX)%?u`Plu?o_LCzH55I4sA-UTESlJP+&hR;k>JT8s0&C-9;%^OCs1oVN*PlZ z34^I6tL3SF7E;>&%w)^idE#R{4#h~OMiMZZ1cWu74;!;^dZmtYU}J z`pkBye;!9*nuD>8XN&%GI18+~7IW{RjkCq6Xj@)~C-1^;A-o1EI{5JFfOB_~!FV`# z2RM+H9VPN%H2k06(jrNybvn&m$u=us(ISvwE{+y(fiJw*4e@+sgeT&{07)V99a#~e z4ljo#3Bm6idu8qI?Q{o~av%S9)&=FxzPmPoGKu=H%&!-p+nDKBq!1gXHt<7Wpc;#Z zuY6|wVBKw3&GaN_$;k*PiLfpYOPm%Y;2Y$jOd?tZ;>h95bn`Q;{@Ih3*PGT$VHc-h z^Z>wExy)JZ&Bu6HStU#XtmjiHX9%#2N1+0Medm0NZT}3aS#cw*@JtPla0ECKR-Axm z7mU~nrqP6@1U@GJFt`LnHqQ(wBWyrBY_x>M`zKg6yW$0RyK7PB07rX4VwnF>FIs;hC8=fKEOKOJ04KN6*L(oa_ zE`a-hhmeH6UYkc}(3|-}(9L6GQlo5hQ=^=TW6GafrF>5u!*Tw$Q!X0n@(62UDM47L z@3U_NnNZ$xZ?8%kTS#~xAj{P+yG@N~hvjfeQkrl)3I3{Z1a7X-h^6s&|B2Mtp|hVp za3CodTxo>8KRB0C%I{F$S(cl~JGC>4g7}JQIRYC+Uw&x>+m5l8BNHworD&`Ai6f1n zJi+Wmf+?DVqea|+RXaB&BRV$hxrO0C+IXEdE~lB|D3yciP0*vE8U@52EJbMZP9V_k z)hhaY8&@k!B5BrU2D~^sv68)~`-KfdF;PGA3)+p)r|oJk1k=O`@2aZAKBa|zn6Nb! zMq0|P{kJKA%z(S{Cjf<}qe_Fd3Y^UWo{TP!&=dv%4v7;cL;xvt0eps;W-Z;)FUkU& zh~01wN8Qz=73^viPa_l<&fYNj7!Q`FSSs-QpJ1*(kUhJ4&^oH&yY7syTVo|+J}a?y zSN4NV6Yy6nS|KDZ%>M~)$n(z;5mSCU`$?*U1F~acHkxRp=K1T=wH7bT4?MeaC9taD z$yx=8o`J%iEyT?=b+-+ajtsr=yFei;m$e8;>;oT9h`yM!Y%LOY-Ut`iHtqhsRP8^F z26{!t87W(CmVHG56qeG~KK``t65-cd&$nnQHt!YznIQz3&mD`5cA3X`iC2YmLh1Is zahk<30+>WWxdbl>=?fS!M4I&i(wYrx`2?LHZDsp~vgJn080B7=6` zQ+y?uqdP9#?lu)d1@*D!usDD#i|b2IJ@V$EZN6sDs&BvP*$sqJI%;IXe(HQYAf3OV z?0|Eb2`2=Htd7EgIia)bQP+aRs$gG*% z>uw{df46bTu^{OYkGB0aOU}heuZ*~0DeKv|B*9yu8-S|%#B)|kxk`>BGugV3FMGDw z51|cQa1c_~hov;1n6XoqOdX4IYZsSSXyoo{y0%i%;-GjAS@}f4?E3UE9+HtO{DESo zx(ueZ1g)8vWYUjjE7ZOlCUO#Xm_36Iy`WXNm1X+>M&j)#nHtSxicZ;0nSa3$@Khs6 zgFpD~kld}QJE{y&7NxHV09T83T47fj@;k;Uu-ceUWt~P+mkt!AA6X=QzWSWekLxpa z&xhXRO(_F+RZ-nCgUFKpOg=5AX9YWZOY54K$i8`z7pL;!R@_H3zju5gq%U$#R{wQi zRxfqkxhiW3cq~Radx)Xb6`MO$T&aSm${Y$#AQaL$6|DlD0CT5^>qxri zbgzE;C>ZX_0dT4^Y2YVD2rf}?W-I0fGQN!ESjt9)kuOr2hKe5K!Uc)&**A6`X$`w!-oRC3<2}nt{ zXsVE8ngzlo5?~<5>Zsghif9V_MIvF$L^TRMVNKs!ZNpmKUR?5-d-g2%F&=a3ujgX2`O;n6g%Yv_T^^^7*ZO)tg)Z zece(`WWFh9Y%V5#wdnF-fjdKW_2tQXKbM)Df;vgUrQZoYDk7A~*@#ca)9eaL>`Dhz zm6-h9rB06@&F`H8CtY`%RITyHq;PIw%NR;Mhp(=>Oy8+PVd) zA3#Wufl#Rx@)(-qY07u@2Uq!}d={!vAW>|B zXPc=Un#*-x_jOGY8FG28T!Gs^LSsQXmYL`y3 zbXu}YN_ONJDk;#)A4e{VSR}3fjP&j8cBO)u$GQ))+Uy^jrA<46*T)B_Xn7^mo1NL# z?(A^9z;5^$#A>PhM)Jd@GDj&g!!!3?vuk8VK<>K~3s#g~*s_900T5pD2)tx|J*3tO z@WqM~`F1|7lNv+j%!th&xu~F_pC0iPw0~O#*BJ;cE(n;<;q;imUsplzIU-EF;6xmQ z8wjk6-jPA2HY=Z46q$Yk6hZf}=h-m`gR#sYw(7ZlNhr1+1|X!BoH@t>qy_d3^-?ym zx4#)-f$KVwQFXs*>MZbTLf8N+oKQ+dfQ7OW44MK*e<1Tcis<3dGo^&%;a!8)UGBJ(PNmV)s`FwK`bq z%@q4zOR`Mi`h26Rj9K(Ad}!5i6Vp1)0knqf?sA&WdmIl?W!G0{g&@#6yNQQFOUFJR zffi`D_Q_+lPe4^LFF|cG2NAD7S1NJ2w);Kz4jHV~PoY^_uDy6LSxLc)v2#)0cGfuWV*#$Wea^g?|w2T`*cb5bBl)LsTQ8PmM(yX zPGHih8e8QPB1jmZfCvh0;wKe^{?_lWXbZx+&1L2?>h0*oLJ0}?whC(G6K^u5?@9Y< zdjhze!QFe)hJq(;$Ri-W-0lY8<*Rt*1`)QT6i(<>Q-Ym26P3t(f&xc?Bp|JEAonhX z{tlX!z?g1<@Ea%MHsm6x`X7iYm5g&2JsWCVa|Re08%*(OI6l7c@*TVjlBOp3G=#gn z3ASo9Bgf7lSl;i}p7?I#E8UXPVvVjsO@gq7!LoH()DSgbz-I z{&dOw4v6=dwfOT(%~QVR@Gqo87t9 z#}-#=-BFYc?;c!O-i3TrI|@^a-xx{>CV$w}2+o24pumeL1=dkZ(cf7Bh#LG+VP$k< zHD#fgqPMbd-%mnn@2oQ+0=Sfj019D=TS09~>+i$W-Y2)a~c!#eb_uofKltWg+m zUCqGEE(rzGWoKa~2OVSU!}bzpk9@*QibT6=Hv_17RgOLUXH0goI<5d^SaD6Ia5XJ7f9pSwL+$FLSypD9BcCiNtX2-h^uzYa>t3X4&eiLC1CEA=oq}6 zKSahxj(pP|X&9ICc}u-ctxT8HW{#@+>@?-%mRgVD%bj&kYvanTtH%Z_((GC~*Ppx@ z!GD-{iMM_I)4`02$1blAjy+j63i_@~-_HURB$7-;%Ot3rzrzyT^AQJIVKh_@M1vm$ z_(x^kAg+!oGUi^$bgj5(JlskTOvNpkYD^(In(U*bHS}3J*F(Uu&XP0ozJG{~49%ue z`H36}Xqy7PE{svI0BtqG^5~kK*_;C$G0-Lww~N7iMMim0_eqba6)6^4Jspq8xy=nVery%V)8YZ>6glH^S`!lRYdS~oU{|tmwDcfnc3z7wB?=W?S6M?v!7$~ zvc+HY7~b$40_@-|FM!hm_zj5UZ%_u~mqY3#m2*RqqpJ>wv*5SwWfzv7ZD7u9EoDpL z!~$2?SlBix5OTcyS#5hE;w)$uv>QF}6S3ih5es$&dSd}WSSdsGMROGT(co*8fCQ%> zjyz;Sm&@Ameq~LPT`D(#hybh$1=tM;r=a0hZ?&6rPJ5hofYViJqNMYzJ)Irt^zf%E zVlMnB(wuy9XIumV-hvp6rQs)DZOC6R{7w>NBtAUZ=G$C+LnBE!Oxja90^HHt9%MMB zP6S_z9a=Y2MDg`varR9iz7lzbD8952d?_je{t74M^)nILLg`|Bg#au|$c1X0xrRv9Xc5>8#252dA&Tj8C3pc=Akcrp$`F55G&wRAY5YU5T$F_c^2VXW}sR=bR2 z*WUQEIIndQ?zs1^*>wxS%nk%yFu#tnuaF^dFuwr52jQX+%3heWFD#9y0PEn?A6U*& zWT;eDMECCeVyHE+T29_2llpR(McjZ(gji4`@}V3QTyq3LE-sW$rdWQ9i<$5efY4Tb zRGmTcnr_{G-|$wFU5KJ@B~i=MiA#oq&bY=kcw;#eIf;S1^EMz2M4@-*wk-@<5V1&F zY?vKO*%-;`v#7s;{LD-d2`7Ep2g}#5#)9m^w2k2AvDH{D1f=j0GRw4Fv}O*UtImD) zJUiw_bPakHv0-j#Ygsuv<0m3q5Bz-tXu^<8w!{U{}E{hQug+xW&Sz)3-Ct$epDLG zkbN1Vj6@G51TU0##T_b(v^aA~>vp29FG^fLHg1{Oij>7ChLWGK@cN^}zZDG?@?xO1 z7o=6kU;GZ7Fi?ZW-9}U}rzI%R(Kd0n5S7xS0L0a+DRyKW(X&A--wzP5b!S@;wD1-~G|)Swh34s1#+ zP+T-o-h#e{M$N2ULrJ~war$NpI{TMD;0@%`GfF)6_2m-wT-Q?3GG+;as0;oQz8DVe zh8z@1M9sX8-i-d{4-^jM1|z82U6toepse4iCD2#bp;`i< z0XAtWbQypz+6bnHX0TYoF9X=A>m|U$P%LAQe0{Xy692mWQ2?Qf9oIe4rW|b2Q!!k|;(<4ge2d-Dkq?0vwo3QF1 z&Yt3M+}O#t;9byw!*}bEzvZLQ$zk~%tC8_2PH`^k)<6FEIFG{en6lV z;*bsy6;5<7EmKVsjBOAWisgbFbGp!2M-6zO%vZq}4V?B26HB>pX;%mM5-?x024CUq zs`B!p{92=as=d9rzxLGG$A4~NUz6VdT60f6!B+PCn`hp{EiS= z6@uN2?(DcyW08>1zvhe=@9O-U^bv*6*XNQ5KdA*0&l&1{rI{m5R*nD!m5eJec>TqX zDH~$1ijlS>Mea^cI`)`|K7NnGUoCK)9`a<+H!XbWEi0Ve8K2`dyUy2d35+eVuI}w-zsH5Bg&CL)mu61iOKq@{ zxSV1=CVS^@(NQL%s5;*m9awV9FzxNWF~vJ$u%|zeY*vc;>_H)uqO6q4-x&ND$}+m0adG+iLrbtcTNLEqrY?M=z5 z3(%fot1{B?8&S7M-*V`iAs6fZl|0$jHGs4z+AU6TcWC9>KY0~=9_n?F)wVEng-^Wt zDUSk+m~he&FR*Gv0QX!>)>Zw}585@d_tr;)qNijGz?G03q!|WOm5d%>F;c@p^GD`- z?&Qh}q8r9i29}TPS~8ZseUg!wJk@t5c&aqEoy$!K~7|F?bN*Q-r}ddMZ}?`VLW*` zIc5yJ*U#xIsrglimI`wTTTPFW^0H;zq;q<%IiIxx6|q**l3*cA*iGb7Hcrj^mzKm2 zpSo?}&Cxb0Z(n+=7KazREQ#uM8Qm}4T&rcfoK#=yCjOk+!HF$iQ{A_4VCBPgVLw}` z77)wJRWzet>3@kLi`0Jg*CB{3y@W2KyMs1W^9!zwBFHE$dp7?YAu&MT67?wgK9!tx zPATZg_@Q*bU($al_j6{iNJRdNKd}ew1SuKwtlimx0wIOk8F2OtdCNt(Y0buVcs?w} zu4K9wZ@&4!*}8u@kKpdN_0${iUa$Sj3kvg@pdN;+;D2hwcNJ_tY1X^{;qKd6m0Cwb z<$503)7NLG1yL!cz9Y$(Y;BDv|0n;qoJpW%r1sh%u|^0jqYiem+G`W=R2z8e*;b>h z`|TB%-WK{8AqswM-L0-~PnG@FqSiYQ@E-T;4CF<~FRpP6ki%QhS>Sy3}8Pmss-)@>G!sx?cHcTOG=Lk2}%-W&E}t#|-n4%FT!0ffmpy>@k{E z!L|bbGS0H-gSr}nx?H?j0D`3O2|E_Rw~|m4j{o2XX7i(1?x=$$7)0||$lxrew3MMi zUQ4beiKm>d3KDv!b{VDUo;E?0z6nuF71O2{Dz!*{LqNqIOx~_New3?f(7u z`+=ed#1_5;m(^tITU+?w(kOBOe>pj9q5{4Ol)^m-c5n?w6#ZxOq)T+F#eXipZbUrk zkZ|8|t|h@>M(7%DKxK}B^`jiU)8w)uqRX+M#v1`vh&2ETrx1;S>R|rH^#nsd{<10# zn&jyldfm^jNQ?=N25YP8M0Pt-I)ERdU1 ztD}l}(u}3d-p09SPZ(`@@sd;)D)%cCUlBOc$=RDvK8Wf*G-nzYqKq!eV_nJh|K%~^ z0X(+QcbhlLTLk!Sgtd~3HS=@$Fe|w3r13kL**&VzI~`e8v{lGtiG#cC7ymF)pES1a zrkig{S*3>61MbLsTs2`H%~M_P`FwR$=d6cr`2P>&{Gz%}tYhd$v%sQj@UbRLa50gG z(Y2Vfzfh>~QM1h(%ff=(GKw*rNasnrWOQ6LO?$BZehwfo>h^Yn#E8qCq@76d-0Zxm zl%hOab5FJnB~WUwi;jHq%L9hes&m=}Nc%>JG?wk8{nfwbWRi7vuYOa{#R_Im?q_bI z{N`&FKI))argPzfX1uzOg7h)=h(Fb*;QD{qJM(y`_WzF`*G0R#5G}}UxtMCSC|`G& zwn-ZrOB0GH6)M#wOBkgn>n&^Q8j%=FQfad#AppEU2g#Kjvq!Oth1BbQ6%y zZraRcYXax8eI{@&G9)jIAI+T-A(3D?eIO)+;n^`VZTb7PluBE5RWkN$JlJOAY%58#$} zJjiQmrJB5^M#%|Z8ekM!RTa!*YKHZ%Rj9s+)C0GI$nUY$j_#j66@4E8*?}v*UUXujtr&4!59*Ug$3n zoOR1%Oq=e|Ws9SMJ>>NFimSCG`xTw@g^Vq559sOV?N@C2b>e17Cf@t|3rG{t zx{u~sS`%IqO89Q$cX@M>_;v~jX`c80vAY`odTwrCdi+@l*VLxJf~%>yC8wH7HdZh1 zJ`z^eVQH0fZf#5J4Kw6|3(&zQG#a=rNTVe5z%& z>+aoy+rP#Qpt{oZ9x+{#f-!u3ckx-d>wzCAHdc-C)lX_2@s4`r=R>$sm4OFQ1hn6j z3q?$*UuOzy_3^fu=t5*Tq=|BmF#VtUT=3Y*BUfRjxg!UCriO&aj?ug;dWf zII6u1@66)gkO>NK<0&1+4Q4{8zrK?zwkRT;E$ix2{yVd*eiEeD8H6PK<9{cW!CijSp8}*iFwi~FQ z&b%G9?uDuDFFLBQ@Vb9)!KC}G_F_BQ{AqR1>K)aeA9D(wFLe+8(=%5r^p*GB?+dr3 zA~MuIq6x9{J>R9E0>h5r-E|kEgUT1K4?d_0?UcGbu9{-H&&G4sK{V*1 zWw=&uQ-tf>;nl3=7pxum$T%yy;$oe`>U&i?IivGqUF*iN6T`=r)cbMvI37j=7fZT! zoLKs++g<7yM*C^^LuH)u@Avqq1tGqM>&r6zAK zVJ@1)rino$QH*4M=fq8feQc94*`(SKDWWiA@lF>gd@YYRHl@M1L5 z?u#kp-v3#+3U1g*EZQHpPDt3b1yCOYR3uteBLfddp<|rf>A6(140V9$;#}}WP&d74 ztElhh`V00bV$RFP<54rA!yry%XXbd1Z4K;NFd3VkTM`#*JFYy&7uNE;Tj-SE=84n{ zn{w~dKbFyjFM zJM8*bSuaoQz84J1E@S7WXfwE_9Gpx3{--vwcpO45W*_m}&}t9Apun!_Kk@kMv|PdL z;aBoi_KGXWiCmVt>1MYWHTw0(iE3b*VW7I(tcl&sR-02SryjVjDVf#+F|h|6m>Dc% ztgNZu@u0=?=|M?|V40VNO3kgFDA5pY>O2ljSWObKd`_}!>!Ntcd0&rNpUmFptsfAX zE+ZlWg0jS!7oFKmn5z|Bk&ud~0+t#Iv)^$S&VUXeF};fq()ehQ;7<`vw+`v~DiJhy zO~1x-;v+y0xR zYCJw364VS!uPBZg&;1XXGd2Bc>I!mt<2)9vZr=}!^FNvvFQWi z3Fubyta^obumvAs#W~vQ_-OKYo`359`?XoI^_NZMlwQHebaB7hgvagHOBF**JrluL zdo|Y|d88n)Qt-6J>8W7pNb5j>9$t_R)KmYS8Q6em^AP+(UAW6tT|GB!MI`KnNuf_q zhnDr*eK@1I)4?gCVH+hrdF2DEXacMHWO^iRlsVlPgfaht?7j0DXHOKr6gHx|^l7PSMJHNe>mTMK=25&7a#3rag{7NftyKyY#i z!ykaybdipVfq|7$O&4b>*qYz8mn z_E(q554k8`(N5%&HfI0j8y?%HWJgbO9Gf;wF#3`xJ?=j3(Xh2Qmf}odAbvYsCy6Sj zzylg0RJM3!Zf548W@ns7)kfV_kIi#2n=uU@rWX4wxV%q#fbEB;Ks}b_K+0URCiKe` zHQ{*GUJ}m|9(rBhfWxq~_^3M!t!faGX0>qN67Q|vrqGfXLpd1^iE>Gw`!u>le&!AK zlcB?B;_J=bQBOOV?T0}L1I0B*8OoSGxE&_O$P;H3_&u8qZea2twVZ}N%|#n8VhybP ztcRHWu$z094FC!0;VG$R>Wxyv4_%q4h(v_ z)?EM_jN96`YW~ii=_~%QZJXmL>{}#`GOlcKc4K;XSP_*#7hg$gbV)4f)R{1F&aa){ z;7LafC+P?`9dF7LW@tOr-UO1&tB))1sJFgUiI-=&^oe_~^qkp@O39dMKjL$Y#$y>* zTTJIS++dr6MbXFB8aj``Yq7?5k_WI=IqL6~fN6)Q&IE<%3|H@`(B2>9^r@j_S9_=c zO8_uXD(sm;Zk;qJz4p92?i=$~BagJMTXV6T`Qv7)6Em$}Gd zbok_4i9yDZKMFVG6SNyVUTw7Omj&cNUuZ+TXfV1G$UF&y3f{NMFz@OL>G9vcY@b{j z9g>LQD-WZ24LS|)5U2^Txy$^# zDbM?3c>-MP^0~t9qcED{t1(*i9pZdBi!Z{i*Enz`v|mNb(9yvP8Cl9CA)8COViEzZ zoGEv}9Llt4IyILEXX)&e2Ao`kW4~M$wet?JxtIuQ^DpX_S-XEg6h?aMsrm@d(c#GlhWg!5!dD^OM>|F6=Nw~|k+W?ET^Udhc#7W^O+y(CA z`~0E!dhrakNJh&T_SIdgD~a~w(qx>A!P5x&jOyu{Wt3Q`$gW%w=kpa+dd5$#zH^93 zovw%{IpUZpXtXi1()jr<><{Fga8aRjXpXwNcfI5zIhe1AmrDL3E1|SK6xSYkgdUT8v6hmcpzc`oHu zp&{(hlm&l8f?H#W?1q0u*+){E*hr-EReV2wgNFCVCfUav!7!ANr!SGfg`dLt;xt$Cceb1HrqxAjV2=;UiGbVJrr^YRCKMMR`Y# zba-239Sn|+OmK}ddn<|vo><-pIjjUf6^ijfxELrqBzt0SQ8f0*5RxOt7tv)X9V!z( zE3v0W)0?wUE7$nJI*l?Xmg`f;;*lRO0>b0sMkQ;L-bLw(rP~>@bt&-`tHZ8Kr;M{u zCm!#c`8977sWIL3dIE2k4P4c(L|zgdBH{8qUbb%XXYCU*vHt$jy@4H7iTbxlGr~FO znbBrJQc##R4od?r0}U?MBg@G{44(?rHdbReWr=jBhLYVnM>jlg}{KETZ z;(^f3x_w6$A3&*iKVSi6-$}*JzwvrPyj*cC(Aq9BZqji%S*nchVHL?GyLsXv9@HF( z?D9EUTJRF1K;$0B`ZJ+SI}=o2A}$Xx1~^#B@B51?KJP4v+(4m|| z1W#Ne_pv+6*Q2t=av+rGPJ-etnRMsN1Q;SAcJjY{;tYmmSo*){A3ynTXs;D9?j9E#D z^g8FGl`EhwOIgum`&vcfCJqPbK9I}iV*`CQQ^@*EreOn>Q$Z9H#Pm$2Tst}jHNo0Q zBf$D@Zp@H03G78ZuyYAEn*KQfi}6A#0W{!<(Gusj7S{yX1#s>5bl_fN5u<0M!Z0?; z)M;t<8yFn6G~2&_7E4Yq(QrmIFsPtVtDO-TPRejlJK($coq4$LnjDpjj%Xy=s2?&{ z*81`hwIdiz+A8^}2mOio>e(um4nH(DjzRD2g(hCWn18oAy3N{Nv0WoI z7Hy@&7bSf`(U-*VzssF5#cuaVUiT2Gapw@WRiqxeM}5{`Kc1Qg%*Ra!Q+)meIzb%aBZuiJ8M0+Z-Z4`|n|BAWT z?G@}VO7H)BfK$62U!*Tm$KbrKKNkhB%RdTXIaa1Gu29SA`1$w^>ObMcYU)A2wq$s; zn6#j-!Dy&iXC{hG$LPIe(x~O@h$(jQ9@>1X02;SBe$ruwkVpkw9$hkECRXRI1QMx zhEQKi`}4AOy}9(*B=yI~S`uOIt4}x8?Fz=HTy$(m0xoXJ#fv@PFt7NFMC~pAuR{-rHcBN$QiDv11^mU0+ye7bUL!~a+>=f_L-E?(+3 z1AzJW?EU}|^B;ri*+W-RH@!@JqmIYe6WRAnC|;rWfY<48UMe{g)2(;sba{t!4grEm z{F#|}FHyW*JUv$!!*OvYULn`tmm277j=PPvZ>n2jc{5yGz5sAuY}WBx(e71LlpCnjES}ad1TW z4X_#fO7=F#`uau=jV?5DZDir_<3|lsC+(Cch3s#es64#%fmRe1y*uz$jvN2Hteu+G zYsoGLkkIk;l7!2|$iZAoJ8Slbvzv=w;Atz8|t%T3RwS7gyF`adSj{d;n}rt}nHY z;6@VX=ZK2(@`bCbFqGMJ1%=5p)YoHsmL(q_Fr!R^y)jia*Ev^r!WlPeog>vZZN(Bp z_hy}TE1T=s2*~fk&@ePVuXn`=Zk^rT-D4Ku-i~!k^s2F{@@I0&i1eyzd$dSSV7&e- zd9D{%f6Izk?LnxX5B_4Yu^Fa`-aoKJpxWimhX6x%6`iZelt$IOvjsUFbY&WVbNS%qDWb7ibz*emi)3WkHN5Ckv32XJz- zR#a-bxZWj7NWjXPSj5$M^0XNVa(Q~DD?`5JGj59Gg zm)XthmtNlxowFzw1ZioiqNXj_Qo4J{7s6}ttWKuId-AD-~&Xx~NBd_#aj02&uMS*A?R6I3!P z3he$uURS$HEU2SzKYmU`YW$9gPqU2{Y3xGT%wc#xc?;nudLBk6v2>T2v` z=BWM0jJDFUgG!gw=VPSdCCN8U=hh{kNTDBEvgl8#m?pdM%lZr~ZoXufv^*oy#amT) zzQZz8Rl#BK`mo54N!9XAJ7a*k(vnSA({*apH=AsZB{sdIeY^-E8Z-=?;x-S(>-*C0 z(QhIUS3x=6zd7fh?My%aaHiROuB513%tH@hsHG;H!8aclLBSho2IgUjU`mE8_yj*&IT@cCI z7UH^+wr$GQDv1Ay`eKUm`%?*mShzfF)2XBF)-KBr)u)isqj3}C_S4x!zooaU%V@x# zO0Z2|`Df4nWCp62eBX<|cxc-|s&+s_rB~8PXh)(DG@9_mD7>mqmzIT$EQHTp8|rpS z5E4wqWpkZn1`!TUwx_HCcz9@u71;DA+ITIzYSI0hq(w$fJd9aH)8R)||M=ab zPzuw04Gqp;Nn5LV6I>dvy>=ua;q6bXdzhqs7+Pwb`O$_{sDJ>iY|bu5I{gR>lB_R8 zJfI>}ti!)D%x>t~5Qg9=gUvQqJUuYYt(Jq^o8}o(5=r#|1Q@2&xto<#M2w{qhIC!o)7bqNV=*7{IE zMU66hRZUw{a{27?JmF}1DE+Mq(2+qdQ^c*T3CU;hwo_!) z%|qE((F^d@8lnQ&ZDb#TOVX~YRn@U$lV9o?97#J&cD%orvzcAKFJs^?Mu;{QuVP@l zi(#oC4>M0*e4pw}buo6-O1gUhw^t;8`oG%|$Z)4$+hCgjZu(`oB)5Eo4?d$}XX_5+`(4K=sfrAI6@ zFIi?jo=m8qZC*}_|A(29%@zZyfT9$NigkWk#`poz?Ebv4zwldHIDFU_0?{a!&}DP} zp(=kaoGUA7S#h)S*lM`PryGuKY}m5#?*AFgzgr=l0!}g!J8=xW3?eITYzbap&nIKq z&CW$;K)t-kwqs~u7Pb?3kM!~`$89$z8!6OM-dEO~JX>i6tl={EVuvpbX0g)81z%XT zU7P!ROd|)atj!k~7_QWqiwFH^4WKlX0C)5ud$#CZra7~48CHfUDo8?w(J(+7ij&?x3Ce$5Egw;Hcw~{71tD{^ zx2^_L5sN2mE{)1za(NjzB#e)7F;XSTB5BM|QRgnL{p`UMk9Re0k53gr@W;d!Et<`- z#mT?1WO;O1_NG4eB@l&p%Q`pjt*iqGw7@Ll_QY1`0nu011yA^~EA8NgnY_uR0|hVy z3d)_EoAo+52=!y2QPTF4a~pImg1eJ4u$Oo@5|W{4LlokEz^l6xf&^ug3eOelkqdBi z?ng5&DVM*^ULUq`mZzMwEp`xI@@&h?Fum?ERnvp2mzPfNI+oHulwHYTjDI?&b#(C< z5E$OeQ#U|=+)$yRF<@cAxV=_QLpR7)r?@OhM*@A1eU6#WCZ7#r{-~ita?Oa%?l_jS_&Y%A|j1W zxUJrI}SG__^gkjEZFcLMVR3-T(Fa3X=ch$TLm%2!b+rHS2-l_D19~(qbBs> zJvus4RR}_OG7$Ptz&;~~94lT<)mlch74jjm@!GqX6+FDs(vf8e!0H5__q7i zeyV=nuKEE%!rIeJLm49nvlS8&a>$5akTdP|9AOrwsR@(Q?hRg@c>VrpXzZ%+2oRtcGCr9sq%`RtSmn`#OpUZ1@Tz>2=|LQqqCVkIB zzZ}NhlZ;s@D4yr_csQe}sf!fKq}y21wf6|${KklqwtuY@pT}eOn#qHd9}F1+OKGI1zEk#i)CjNVsV_8Kj0wp)q&+Wi%)J z?hbS-Ve_AtuK8@yk$1D=?LX9(9^*Ke(6_6_^++gzzr3LKAEucDo?QwiHfS# z=87p*{_&*Ams<*SI$dqft1aCY?h|k)P_seVtP@2BdUEB^#<^KJyb3*{pyk-uRQCCF zTw%zloCcZjr-XU=?&UQMiV`{T?JZO2sz1pD&dBISr!wC&J%;qUvOY;4-t%v8X974nvG5J90A z9-g`F2C)VdR)1r?PjtOo`HK{xcfY5I<`xzZ4I@qXb45{vcDNrYT<ou)^{%mx%O zcFVRU+E9Ye^}O`Hvqx~a_F}NY@&r3O4GF%lWN*}c8Fx>;=z%k z=3vv#_BMcGQc`iTlSiz(fCzWNXY7@_Zm`$8Iy>Cs20d6W8AkJPb4OJkL;9=2@@i<) z&{xyZiW+01cKnkCg9i<+1=i?;m$tk=p_$P+$Fql05fP!}TmjL^y(V5hfoiC)H;-{2 z%9~!N%~{4kInK=1j5RGPf{#}J!*0Ix#)gk0;G(EV3sR_@6ft3Vl_xM<1oW8I#Vy)I zsPG@6n6ISmZ<-~)R7+?ApYz1629Mw5j(~kw>nTLGubryGy2G~PpSctF<@qO!zNO+R z03IX^+}Uta)_JC&punTEbC(c*Dj50+E`-HvZ~xfj6d&DTTC2SWRmeb7UqLB;61BJ7 zJ}Mmd{Nl>FQ=Z`LtniiH4a-~}3RwMeeCq9^9)|(>m&JN?cqp8}Y~Oyc4@OpP<7yxf z*1ehX-S4!;(q`G*p^*hKL*BxVf+B)nm)SZ#h=$YFnk_%E&DpSOM@vW6>aGBmEcyBv z44Qjrod;sTa)v_ky`^^qekcK4)a+m?CU)4Ds5Leydpgg93=iLm@}Gpnvl2QimDS}A zTVD2wYfesCDd8B+P0nxM_pzm&50hMHgzym}u|$;AmAi(DZN+42@UZ{;a%fW>pjuVRJT~kBsXUfJ@~?=4 zGXqNky8r+H9m<10V`_0RoTEUxW;)$Dm0x9QQ~ov2$aawV1gzDO1Y?7}=?OfW{etjG z*e{v=%Dz8`ma>HoL~B#yu<)mPbF!~5@vjI(;)SVL@J#}5baefpYFW9x9~x4n3D~Uh zesW1bz`m!a>u&I0ateDpgIy7a|K@j8;rP7_bZ<;`)V06d4^L9BP9p*XuK{>N6Yky) zdCvxnloIAuH|h)Y)waIDCi_4}42EI+65fO)L>NS3Qhski;X(OSMM`k&>PAl1wvGvb zNz9f1bhPh<9}FCR;eoupD{DWh7oPf-)?|J~E!8yQ(YN2-K-HiC-`1U<7fCMT14wV;kmqC8pMG=I(u+p9fZJ2+tdiP8MoCAWC7B6Yuc3jkT8qo3^HtF zcqo)sbUtf}g(fy>v|=XB!DxaXCtm3O-{ zYB3%h&pJ&P9g`hbz@aT-|2d1}G02Y)oxZYIZ84Q_qa`TDBa0Tkzq)nX%Vz~?)y zi$z63S-h)0?~qKEli7NWjoq`395Us}agMGKu`2LkzWgJ*wOF$r-xgda` z`bJ;&gNHM~2UzCXb%Kc10~1PJCHL6+qJlp&KY-=NKOVX+f+~$S4I{$lC~odQ3f%k6 zQXHJ$EM7#%VkcPjUe2TG$Es7qc=hwMxziHun1osgA^}_mbvdyn;dPm*A#v96JYI3n zf;@t_PRfj04g_T;*?vNOm_*k%xYRvd*m5C9W7#h+jM9Ws@n8!{+wDhB>^5Y3ip9YY zUl*DnY1lttH*EjL)l@i6-k%$HMyQPi!mJH22cMBQy)VIP#m%`g2QZ<19Nqcja2JRr z9DsDm1wyRL)m;;>4;qvExXrj&S|Rg{#KnKqxbDVuIAz;PA#}Hw32kTu4SGwWu&~`H zGMDcEqcu~phDa8aK+3~5eX8e+scE+#_^&~e_$%(BJxr8oHd!uoUl84dA z69+g*ah7Q|vXo10@ur+~8zPT2p@Ww+&s(P@UeLTvLKodKCcn&YlWPDNTjR;#$_WUM zC7{OR7EGj%FI;Z3%#gd7mq;yS9zbt%Q#a)45akI}Qwx5x8g0g|Wr|H}z)ehU)$KkZ z-8eo43pQ$)@(uuaFJ8cj5)XG*)~?lBjVSJ4XGSk3-Xt1Td*d^yk>2 z0JyjLFvD(kWj52F(lyTw#Hf>&6prx#5o4JJ{VVt@< z-H0^IBQdm+Mg34U5o$5AcP|{ zDg+hAZzrKVyo!cTe&Lmi=IYbMt{YaLp?NBn6Kzd7K`xZdu2KvE{?JZixZ)ajTl1bQ-vDgKTsOr;TvFLj~6L7MT;|_CVcYBw5=KKihS#pVP>)aA_(Qp4aAu}rq zzt#L$^vd5RovS(C|axL?+sfn>3JhZpih-Gyn9T4vR6uS3fK6uwB-b=nJ!e7)?A znG5`+sHhrXOTejK13Sq<@DMa;WHkUZ1_3i5AorCV-`O&^f*M$^a>zsJG)hJ4Ma)>9 zdEM#t6*H=`FofpkM!Q3B*|U8po$o#%cQOX_Z><2B-I-W7#DqLM|Lq3RZxpfsDVpua zuDdaM8On%+ggg9Q(3CA7$Gq!C*vGDPQfKEPG&CP?`-Z9Yl>dZ*87}TtG=*^n`0P7S zck=ckER)kTbqc-vv?Q9NpUt)3v+9;Z4}^d*RMe2)-X{|Xn|WA1QK~{-CRs7A0Xm-> zzb<5E{T68)>bCEc%f{NX6nq(ld^4LRH|77_l;5r+gg7Q%tJ{}Z@eL}Kq`{z4bal$_ zT_dpV8iE@nC&Ix}dbqtBTw{ngwP>biMxP3k^R!Sq!fo#vpNCh__GJ?uN~n#@@DbcP zyzg5Np$qa@<`s1x;t9asi+WN6>}lke$F1;eP%@wGH^v_`HLgVDf;#i#h7M!wip`8h zSlLA;!P`=eplFw+Qp7suMB@Ib1-p`Bzz^XA|2r5zg?bxI@reun=P*m^24fy}4mh#p zxft82J$4I_9f&$=hwoG7eoKAJ){|dEdvYa9AenOk5Q=-$APyk$+7H|c^ zTXh?5Y8pItY0g@O%kMDf0ozQFZAw7zPp^lwdA8g=V*KN3QbTIO0k1umEeIvJxH3pO z7Yw%cw3s+lRX1-W?`~iWm4N<;|gROf#(* z0%66VASP7LnLNm-<9b+Xzs?B%ufOF)E2)#1^uA{hAX}eEHW z8$udUmeFQ)BFKDgwo~$}VR)=A19tSYBCDFJO_^iS3!lxjZPqtX3_W;gh+xnZvk?XX z7OuSkwJgO|97|?H2J0a);QLbPeoVi45A+NPR|tWHSd8hwhI17|YfLnNQTxPrKC30O zd}CNZ&2LbEXawU}r_BfbjfVLdy%u#u0!Ou#Pmbx!0Ii-)-fiNVs%oy!fo^jR?zddF zgn&*tc*5a6wCzGHUap8(nGF1^INTaV6H`BTN@Ght<{A8`Pqy>Bt#6iPhReb1d+D}2 zaJ~4}50;4SHMmoaQ=e&uGW3vJ+8CI*XOr^D{&Uz5RAp^r=pGwggXE|C9eX85?+Id!gJt)d zkhJ8|-UR!!`fdT6d?c&-`BDfE55BYQ%%{OLAy}N!Z$0L_cJp8C>7)_h^)wUjl4a)< zR}M2=ZuPv?RUjz9)Z(*Tp)pFs|Fn0^kt8tHqQyrI#bE^+u9-}_qAD8_37)TC7ZKIt zRn@$(VmWf*u0!NyNsd%kJFP#{Ir8ZA9Q-TZ_50Amoi(A{LQnVSrLx?GXB)DdTNiF^ zLYjKdzPp8!3pe3=XF2uN+7%dH(5}(>)+7nw5rfK}Z?HF|$CZBd&FEt{;#x^__^fB` z`h@SycYCt^-!Ff>`(XL4PohaAza(TjZqvAbc?TTKrFtnnE&GJf?yQZekg`X$&9(dPbucQ>>`~-22YHdqhcH`^ zK*MBrbVfM^SR_I8gIOrggH*=GLReekIQx87)6-Zfp7u`On==R9D{yX5zYg8(D`n{W z%=mxo?#wV(m0s@||E1)C!$S#`*iXNtdKjr|!^9`OAh^|NqqLY_P=eaH$D*0KUI)?1 zsFRUbAIn%GWx2}Y=rZAE+GJrqb=XO%c2qb0+l*S$VyKnIdB&f_o@K3O*xnlJ2+EyY z;tJ2ko_Ri8;B-9)Zcj2@>8kxZZq=6~nvjWru`kL3`_D_q;a`{uhQx#X!O`e@@P8a-UIgFNRu$Mqx| zPRmZ%aL}{k?%h&KKY~=hLU1ad5UcfplLrpc@#IM%xoxes!BCAyEoVgss~%{ z%wE2a^|P&;zEz1i4;l?aAs3VJkRRLg4tj=70zRzyEG1l$ zvwdBb$prHxC=<4ldUP)Zj;l=tdy}KEVTO$4gNuZ?H_7)?Mlbuq>P~QBO{jG`mnM4C z#v-FCmCd7Qg6!}{)f)CRpA@mbCj@&}AF7)BsU}L6C+n+lm=t2AWnn=*0^f0;`>n>@ zu`g+UaDb~=8$v^Ev2cTqLl>T_{q#drsQD-;?YKBls5Z1;2R*8pPwm1Hlz}ezU+=&F zorI6aKJiCGm%)3=ai7XXPS$a_b)Q2+hg8_A^j>7bF-T)Tcr&^j$O_gU<;yV4aUC%( z^8CCHzC;^A*)-8ti+U?c`pTAlPMTiK16$qVUc(}E1VLGfoP>_ofk?9}bfxDQoP?N? z^X3#Rn@7Q_WJh1nlN zjjAL=pgsPQ0z19;5R`#5pxamQDaS0PPz$Y|Fh?ZqHQ^{@(B!H%!iMi!6Z z0?qzfmsHfKJ74UZ`)A3_kN!m%i%UT}!aLx*k{T_BuD_UtvGU{QAT`lN^Rl1CLofAZ zO+|nRK&|L|C>}yQn-uBlB&eD~B0B($C5J$i#arPF$Fr-_{?VXMZ1d5b_>TpxgO-7g z6bR>y7$rb!R2;@yooiy?FqNu-{Yz3m&>&@XgNuCr*=-D04Z%y?Hm}>>NsDGuhe=nm zl00p+k5?8fd|i)4{Y`?a>xDzPho-nwCJTFBa%UZC@8Q4@1(D68e5)+oPH3Lo>{w{$O+k(_dLD7 z`|$H!IW|)n*Ru_^X8c?wFfW+TJZ2RBCBK~G2zed~aR@dlvbEGWYZ;uDdV`z|E$Tk4 zv{Feqbcz+Ruy%@G=P2+`&u-9jneN!Q%Cgr=Bw<6sAssUkKBz%Axw@^_%gh+|GUK*P zQR9@Hr)c#BSp-pvoryde7XcnDim2pF2Q0M^#(AIqhAHkClkZHbU4y&$pBg}{+e*Z< z$*6Sn#c4P@TX**ivKnM`WPEi@1~d>sbOgysl>|EwL5Jb+iJAmF5UMbz$Vrua@(BrE zK=a}}c=jfv8PqD$SWXTHq(U*MgQJI9;s%>bDY)=l{zvGbJ1(aly8aEdK@?%$1f5T0 z@*`4UReWPY?lUYTNU z!01S3K(x9-hX#`Ec#X=O&|?=<X=ge$MkR9?It@kU4%U}qhn=k=p-17m9#=qoTU}5#$aw-}q)v?d zWFG&8Y#OoBds6uk9wH@}`g%3=QNn+a%02TE6^ss&hIcywW-$&)3(-wrqL!6qj!~NN zku~z2vH{@y*f-RndLH@ELnS6#NH`d~DBFR@IHfb02YFPIm1U)bd`EOPp{^a-l#$P^3sNivMJ8~B z7)6(A8Y_4pEe+=Z*U3^{w+6Eq91j6utA49j={zi6GP+MWH}jHHzUgy6-ee0mIXjF* zUNwH+D1x;4{sZtd(_2;>YGG!wai$fbPl=!y&+KCP$B_(+o=s?C1)YPL(ROBr1M0Oq!G6BrY`_AJNy99K{V_a zhkVi+a~;KQW7u4b*A8jZ>Hc`R%QprGy~iR66jFWp50RRLS9o*NQuXhl|5h#<)oz&m z((6!i!UCO*YFyF22%TGC7ik_tImr|LrjEYCD6O|>lF*B2UOoTO(`5w#K`ye$z?Re=3?1^g$?PO! zu6RVzN&6$Q8&iq4Zri3@Vf|;)!uAyTY?h)X8Q|T5;^6HMSBd!UK$0F%{d4Y6!7e6f ze$RoTqOu`04(S|jtXv#sB4}ZYKdJwqD9(>LVMkMQ&vE!{s+Tx(=}e3|!f^~WJ=-dmR0HgA z>k&UiKJux`zN9oZ!SO&iByzm)97P2@39qL9zLmF9s5*e7*g~@3UP4o{7Gok3p9>g) zm?pH8LpuZTu0S*DZm%5cd-jG3El~Z0GyykhS{vZ})@(5P_;E`Px=#6-(UConx{qmM z5O}?T${clPSsSa8ZI;F$oU9hxv|9k(PyPhlI6grMyT;fxpL%40@%?n)oF<-;5B7u~U^gq`?L%haM zdK2Q17BS^M5{dv(Vj_BLtCiDF1ZX<2E7l?oVyf-tTD^p$3i$qi)*wl{6>#m5NieWb+$c@sp~*QjA_QeOU!EV z9i6##El`}{hMiYUM*TT0+5QfDsx!69dli|9XO=nTxM%o>gp!zW z9R;?5H))bV^WI655jl$6ZhI+w9Ajw|U*YTUt3tLf{60Pke46qa2*{YP@9kgpOObco ztR%R{K_jqughPZ~7hd__AP`Q6GcI(iLiTus;@jV@T!^|`OP}Jel4JQ6mpJOZ)vO81 z5h5*q^xR{isG*wwc|Cq?4mHFtelC6s!cdJ9*vyZ!@loxA0fq?3S}gx^jWCF%J5aFh z2q(?wFiE$D$}CAY63N`zttMxAo}Xg7w-##!<`xB9r6jF|286|~*2(!7o8z{6M+4H* zg*Id|chhGxBul?Lm4P(%|Q-KY(}sxYuQl+PHsl@!6>Q8(u<4% z?J#OgX*hm+Xh!R-v6VOEdZB@j@F+ZwypUOwq0Fu!E)%?Yy+mIOO zJ0i6CLqY+SR9QeaVU@A#3S=;fTapW*iSi}eY6sh_A!vzVphuCL^5^PN(yzr=BVrBP zPS&s0XPDp(+y2K!9Im^i$OJWSbHOU%0`8U?<>L!t$8O{ zO%baA(Q`qbhxevLE0$21X!d>yORRl255y`WpLUU7P*a8o!8A&zy@KZqj_b1061%k9bsjlLA(tGU>iRG zm|~Q?k{ujjLeiXSA+JM;yfct>$Em*(uT^phEg{DHKYm|VJ#OV5dXzPwX>x0h1tmQ& z=0awFEIlwk3I>x)0`6btsmI^~l$2Cc9!-UBihwpT_+!>dZ>sQKh~jmc?teM>c3_pw z(-#3)Pd++){m7)We1k(fX8s#ra#6xO5xmFqR|$P09+7w9)*PTef27+pZoMlh>#gg? zcrok7{_o={0T!+N5X3ACOi^N6a-JVlLoDql3AY_8X)u&i1;{q)!z;k#@Zz++3~o45?lv z8lJE|rA&E75-e-Q-GQ*W7F@dTd9MI&5AS4I*aZwpIn!V~HSLIbK7aSlFqkd ziup(41iKMrxkggu`YKxR_!_uQfkELS323af_q~kayd&;l*^IXcVk4|nl|v+M+*ynY zs%<%j^$*+&@#u1awQ8aLm%KyPR>D*{f2ICwX&vJmH_E+op^1JvhJ(tn6ew9=!17NMH()`LRnxzzM3C$ zN2<1A@i^%2W5f4HkbXx}i`brpgW-!rk~4K{-3V?79J1E+JOD&qjx{P^XO0i9nT{_G6tA zP2$8i@k+(N4Bxn(Zf{L8YZ;~fz4`~+x>+(2$eSh*x_iOE z*pFHlU6Lib!&}(}oj5EfD5LdWdjY4y$$BSP_>%hRWIR4U57+MPIR`Br+E+Mtt>I(@ zNsI3FHn4e{@Lda)!Mg{e9;u$Z5DHkGxI!zS&tS#{IhYevcqq=hv09qCMANZ4>}#VH z;crf9cfznv^lUG^jnIvMD_SGsFd={04hg^X{5sD3T;%=8Ne_O$SmbA=)!9iSY{OH9 z&NOhem)VBizIuMR^_Ufh<>ucJwrK1%!@{__&IooLI%dnGAEF%vm{OjXf=^{lVW+z& zDUq%^u}!xU7t%)kp{`=6w02g_vD~a`CyouvW?NMyaNKJ8CI{QqmF=I|eNyk!bXm(~ zv_s?t{P_nB8n>e}WmCVY5B#v%JpTshOaOv*!vurhhsIZmo=D)R+&&rea&f8j*Iphs z_=mT0^SeDh;-_SK`VYX2oAGxATtAPO9E7P}Oka;Dq@%hy#?)crb`I0 zoyvukdIoG@>j@46zLQo#U2elck(HpE5gh10+0WQ2CmiiGu9r;r#_#d=nz)^uv+NPa z$_VUS=qz`gZWfX^o<7NZgSZiZDWhqUE&Rv7%sI0afMC&7Gs)sTdCBO(a~_y`AAc@0 zqC6+|6=jW2N(~|J!OPV#8C7utEH4VlJEdtqZ3(FZxwWj#9Q`aX;Gw)BQ8=TAK9(8Z z%8!=l(prxNaHHEl4j6}?7jlZf4sZ{7ANnw2Ps}Pm6Xhf|%amZeWIeJl8@(A0-WrVW z0k%0`ZrLC~`(d*V3lwA)lTaG11QBL>2l0v{19FgyZ_h1HGLo#NcKgfl0*l1;(tlZ^ zQYL8Co<4(dIy}VsU|A+gl*Qf8TLGCR(qtDnTx=R*sibJm{_sQux{-yLt3(0@>9K(A z4-^!*ex?0Abt)A=Iz0KpHG1_4XS)IB@#J4O^nQo*S=cBdUZbj`NfR@^8Fo&aN^KZl9B zQ9#(`Mu4Jq@b5i|lJrOA(mR^)iwsO+pIImGGj;R6_wgf+b+?|nQv##D_w(e;A57!m z_z6nDwlX53Vf(MfRDg84eMF zUDD+1gP=0q=^-Y$3D3t6iYQrsXuzMv|8thY17(f~-cy@YLOW21ng?LPp&~QJea!Hb z{mLo;V`s^D(+f^iUbV+x*nX8vpHs#h*T~*W@p&u&k%eBm13X%dDtT#qDe&H#`06c~ zOF(J9{2ZHY8cs^iDBkJkuJN?h2+nv+b;y#&&JMVbn;hrVfSz}So?IZW;Q6thK2FTJ z)@zYci5OTJ`z+yHw+)E*5vQ*!Sau%j>mshq5|zAKNPq$4;~Fb1t-E(pZ{d>OwS z=exJ^Ku(;Pg|1|v_3^Dlgk#w;TBOR|q*yVg{g6L-Tbx}+v6o zK)WW?ONE$WElvA}2fn>vZojEkQbDfZ$MPPZALDqzYofONTWfoNX?zW!S%U?`l&uDj ztdQ#BQMDG0*@7`x5zmpgg51E)&5x6F=(IdQMR4eDL{vAMu&(lWKtDb5s7Kpe`Ge-6 zRx@Y~Db;duq2gpJl1k?Okf*pTqZnU;{#w&8h7>^}=!u{XfLTdLFST}6*ntmd6>h*s z;4PN><%Bnc?uVWmO3+q3$ubSbSf8TsQOx7<8pCz^z!S~UeX?^ZKLjgSl!9tk2`u^s zVGkXwnyqIMaUEDcy>?X;H=p;_87HbT;8I$ah27Vsxg7~FNxhn>n@gR;U!Eai*Pq7&f(wk4Y~b6`iL^4{}e4rAZ9BGmXUb7h=y50p|b&2wI_nxh~)y|W)4c!&IehZ`I2C?4K zxd(2+1JxAyqe>%g`uYdBMA}O1vj_9dsll>1*~xL9y_| zbDs)Q8GXnmG8oK`uLF7&58Uul?~b4N>sh6eRnEuh4h#UkrIH2}A!3rjVi$YYEdN)Z z|EsV8SqkxspI~jZV#=}%iIyNt&#~S1+&I+YSgeU^PU)JM-Q=dUhtk)-B-EQO!-U{O zP13F#`H?d%w~vgu2zRd==V0J}&fyQXo%%i@1{^;JN6e|1k+t`!Y)1-eSyJ(rTv$sH zzO>aAxb;4}TzM#(2`|E|vUda)-Fl5Mpot-tgnH>>8P``se8bA56{nZ(d0?%0t2_ZQ zYfS#!f0^iTr8?}p-A{<0&9;`k^$loHq{mTQ#XHKU7r^0Zu#!1*xjh7|bqxJ$$4=MgtKJi%oC z0E@EVvXJuO;tiiuh73 zJUu-8+}eZQ@~!hpb9;Veao`?jzOXJ z=L5yBC-+o9BFK>z78DhA^^o8Es&g2TSyo!`3roDnx8E$+P`?IR02BMd7k;$u-}!tR z_}4Yye`TNnpKJ`akbn;Oz(n+`GKZbJfcW%(x2Nal{}?&<SU`e=yx@G5PI3 zhoHqhiGQJ>p%m^lSJkonDvS8x81H|ua_GON$aYKL6k&;94_#_L4=gDkrGBbZznh|e z))_Y`;y5zTuhJHhRW4 zVH$f(ZI*q|?@uzue@Z5&ZewniKSNqSSNK2S^TvjsJX`$Igk-lpz?cJuPXsoOkAuzmy;0Olj z_Vlpv;GE#W-$Q^02K?^!dLQldyxD8Hv2k1JdF}Mwcl#fEgUYhrn;-N8FxoLV?IgSwF0Y92>#aGd!0#h`(^BAM%)@gJ4V#H;@7+)FX6iTH-^UYE zKc6336mGAypLg0Ovh7KObc`ZvxZ+4(z%O7tbZevA(Jje+^|&$=G1~ z0q63OWRRA3!u+<=Zqg1=UXvUt>9U0zm<_tm?LfGez!j}1K!Bi*Ix+61=w)178M2HN z%ZhHmR8&W{Xz&OxIKx!O^MG4JmcPm4>ij6kT9LbxH> zxDg2c850k3f~6Z#R20dsA)hpvG-G9(%Xdp#69J1nxPp#A*{UeDC%1|;y$4g-B>GZS z>*wp|rT!7d4Ma?qVI|!~Z%*;3gB?R!6N0J29$+NkJb-fqAUMgz$iarqn2sD3H0%q} z2>3QJ+B5g@5f=eU{@bb9vDpCdv@ZuO8@M@lM3b$yyY6i%n2a>f&&TIn7SEDYG|!{- zciIJq<03Bm_23TUZTr+MgnCRA%Bt0Y<4R*SMD8XC;qXe&SitV(bFjnDS(g)Q`L?7E z0amb-Gw_*;98)bG=BRd=G94OxCCkcm^v(GQ+sITX&@;zQPirszeIyc*~FW~ zapg^*7!l|;im6>)NLkz`t?YQ&RcI>9G@DBXrVr*Bt!e|0cCC)1$2Aq}*p9(fm{mTm zFYmV6t2;tLV-qG`sPH;Kol@=aHDH&dt`jf9nZhhfr+t022#6tUE|B8qP$sETTAAj7 zP_+|AG^4)YBnK42KAZRuVOxX~l*~(#$tD6C$KMNBrlFcW9%*hGu*6unYla7uI>OKn znE98}%6>@zrrnUO5(kCKu280`TS6Ct^KhifO_r1BRrvKToF-G9oMIu0y>V8%mJ`sF zbbSOA2G9PZIUFpFLos`*pe1#FFBV;@{ZJWHdQ5Iv!Jl60#8Z_R9!KN!^>ge}*Ks?Z zEg)4MJ7aKY6b5zA0u&3Yhhp$^BSPR zM)tu0JjoT_;;SPqX(S}HjuDT5RZAiQZXQIt}VPq{_IKvZ$i z;~|+Xj$D2c%2x30RS9tFu-TNi>A9}g<+)PXyUBoTvI*u*<=mv_mQDEF_VCNyZSHA$ z{44GKOyaRHp|&dg;jA*)9AP7Zx8MThEiO#456aHT#u6o5yZRGz=e2Z7RfA-u%&wrL z4c4l5I8*}_RbX-(HpgI+gLutH+XcL$b%&V+${f|NrP7Q|YO)7RB;VWqVkOTtUfk?f|jojPN@^;T}57{D-S z70QbbOo{hAr0J;aaTEDyHdc+NaPuYE{ab&g>Y?Y`JA=~4+E+mvLHu1L)tQXuf}$n6 zF-?Em@G4g9MZ87lR7+QnTrFPgql%tL!eFm{^Wq9Xgsf>Wz8o=B(X(CE1oP2K@R`zRr9IbE z=*~>ok#~E%ka*(Lnvp$cgT#jYLo1DN&%Ui5Ubhn|6+e3b%6&YE#<>&jqH%!l!b0~p z+Z>3ZJWS7?pQF5Diu3SB4G;6Gy?8M1G_X{X34ZV*1{E&2bB%WFCW~7fJI&33zj8#G zT!)g{c)cs;50e{iE-!G^27A0vc1XW_Uf;OM+~^J22<5wCq}7yhh9(0nOOG}=lU!Ch zPNP;AE}}%*pKTt&5+I_eEv2TK*@gh>sHtGWtTaTRG+(X?N#s~)3Tx}5Sy!MGi;bkU zjt17p^7u<9z6}DtogAr4$xx+qN@UB^;J4->#PLR|`Bvg{Ro-Ya=iA;hPh2x! znJ3&2A&!|$)kh!i-p3zaGcV~EgiCoV7B^ePYuY7A)yjlW)lP zEkV5&pZfBkz!v3rZOY)Rx|(b(mrPSC>+#odldL;6X*M<^InV57DPvm??~M=)(F;+# zb89KlIxx6flqsM7l^*=VlY!Nw3*PpkP7;cl;%Uk@w8i29dVn!7Ph9cb@wgcMc8j~J zwUshYm7*Ixvwtc~P2;tQMOZWmyUq^p7Y_}(-aPj%y`7X*)*iUB2-j3E@{eWIh7s~f zNcNqe%=9{R8!d`Qw2DML^?wE+BT+suM?aAa<4vp!sgTT~Or6|Mk{z%mY+pqRLQ-LC zfZ?(7a%!lZ6BPQvH+j~)jTUGmq*Z&=CqDk&{i#J(Vn>>UN_bxB{}cFGZ9k?l%;OOu z?#gzDPig0&;7&eC?2w?(i&3!2dT^P=-OuvxgyVEXAL89Dz`F;X_KhdZja1DP7mBJT ze4RfzOU^4|jhBM~A?R0r(k;R}2q`3>& zoC|B!XI%?=Uc2247?)l>hteOCE#;5a_m?AQIaD-OWkSq%gK!>Tgw{23bj=}NPI}~gQ=Ws8|Ymzea zw&KBSMk|@h;VhW&EbuG6Pk3}E(@Cz=nF#}J$;$pr}kl=zr~_;Gc>43QFpo=;|^!3kuFzWSRYcj@N~ z<}WDa6`Ry%R#PV>P^!u3DW7^(gRa{#5%9YP>Py9(!?YT5{_I7>NJm8}Y>L67_^C+r zeX|7CKilEzQS;!6gdY-wCdO{2V{PGGCO2yVTLNSslsj)g+C~9eo^_TjE7&?vds`#jOEEKb_aXW1$Jpn8Pfgap|3(r%OlR)PuzqQzwFYH00l-JxcMbdo<1FG zO>%m5JU6zNMMO~627BRXc!{f<3MPd9_;90&;`Y0xl6m3IaFT z1dlJ7*Z&y%D~hF}8s3K|KkBaRvwCV_a(%GQ^MSOt026vdR8nv=kV8h4AH!h5FgQ?yE7H z7%*hh0e4nXUA;ooc#~`*XzM=i;~}~Vr}?$qf~( z7PCBzB{2^Bmbe3iYn(Hl#%s9VXkh(wsZCVtvJ%Y52*oXm^5;*O8!h~ZW@}_{a>$cE4?+u6qA;aQF$AkK9|6HiBDPxOZQ*M4^pSsZ6u1fme z7gFC@3iNG&#uvaBl~lWpCcP{6;8w=o_jPT*j=9_zDJe!RZH1EkDg}drUhL<%}j}9A52P)GoSL>q*;j4`#B(^wGhR!aGBJE9>7A z_Fyx*uZ4N!Q++;AWp~5YfqisklQFKO0|?HCOkxyMYpjr6=F4IFiBoZFJ@Zs3l5X9{ z2i<*ns3%SRp8NJ;uP>SJGGJ^6E-1+buwj%RKBB1>-x+BPreH_=KABXt;wS*l5y(HSTWSsLD5B>ofwNtm@0YkmCo zzI%q0R@6yVy=x3y>aF)*Bpm6ad#QcSe>RXwpzGnEB zm3gryIV{uNjHa`$rqQJMfCcYRM6O*Mrkiq!K!@O-7N@-6t}3=S&ARZZ5?|$Lk_uFL zD{~R2qc+UXdUam7!F82d8Z4`v`1*X@3s{-DC3j*HC99t?K%0NVr0X_$s#-VU3A=ZMy=J%y%Dja|4I6}yKkHBZo!CS%Zlks%4BmmtW?I!;n_f@*3qOzGK53I6IFO6nM) za(FiQ4=zjxapZ2ttlkI*GTT`w6-48xN@pFTg6g62ZwpdP1VEP;EvW*C}I&95v z?c8%8WfO^xtRx&Plh*io+qH@H?Lheq_e5~)NhG78m=8n<`5&w7Kj(ZG7}-n~SaXGx znWhSkoWw;}Z&4S=^h@*@m={5(t}U*CgOcW(JEuyiiX!Zksiq2RWte!2szT01wvsEW zYG}0@VT1U~z(&&SsdVu+xRf&IMU7S!YulAG4(+xgu6;?psMFGM{ADR)SWfaaiwID| z4Rt8^@P#yRI(CnaliEPv?AfBIY!d%W+CoVzDt9XiW9X(Y<@GX~Mc=u(WvnazXJf~E zyRdk+07h&YBjYEl3#{_h$Id}Sdn25ZnF6hWEVYEG=MN9ZW*5!pVm)s?UaF$6rD$NYZ8h64d5&Nf6+&4lWVedrY`3JXw9j8Q$$^RcEwXCPc=TcdsJFqt;n)9NOAt3GpW6Xb{Ju1(W?nv zp|HR|qbpf@7ZlNuS0h|h(dO;C+Wd9uWnOowNRg6gk`SS?&8bK=Y$?^ZoI8u$c*+%2jN>^?}MF+qtb{Il(1)q(uQsha3L_%K?<8*niCijA`ESjLo9MFiM6bfc3} zsO|Gl`*2|BMJ&)7?K=;=XOmSlc>I8>RH^wnK{mv^q*g2C0ftl;JVFSx41|yWpN&ft zw7}8`I@7!J0nTu=H`ZjgoE!C_%~9F$ZOvBUgKkIM2sLv?G*fjy`(nd|bY%k>h|omR zJZ-x>50^JRXLOqSc-)1zrRt7R<7k?MwJG!mmCE22Q>1Q&vNt4*=F8I++IGFEO7*aK zAIEhBOPyH^)sm?=R_q@_5`oiq#q>~vmM^(%iMgYyj_pp`$daSvHiBbqnjtFHC`GCGZx#Zw~2^fscPrsqiyo@zn_c~+0Tq7uf=gkNNzDcBbu=O%1XrV$McyKUHr@?zLwS)4RyfpgZ=Mu&Ki={cs`oz0`G3Kdp^z0p9$y# zpN7^SHl!b2yiULOH;d_)>&23Gc0W&N+~s&NYJd@a;yMU`YVxws-hPH%n>aOgxSmIP zUPU{i36jY!jrh|pi=DT{OYYKYS`X=$^ouTceV?#<1l=j$T*GtoUb+UQ$Fvd-vv zoL%Q?vS-|a4)->$%cj{CWyRhrzVkgRu@X)NZ6$2a$4w{mY9+!c0DZmUVAflf7lL%e zF35CL86jb9I$&Ms^t@(@F5dZF? zhLWyeT<@3p{GS=irTEe%5<7Km7Z+J@@$!g5T-W3d9~TmoppZh4-8s8S_+k>KWjO&s z1p%U5ioHL3?2j%*C``+G{rrXk0*3vBdt!P?<`_{dsQ_kD;j^jquI%iKUZxr%hOng6 z%%p#qNtscjhiVvU3hKa+;V_XgF_EEsiQ+1xCd?}P0z-xa{e}xeg9}v2+EJL7^)%l1 zQU8zuq$4XJMt?CZ(NxrhA|s_EqoyMRL5hB+UL^mra>WtTksHyY`}X$q41TT~D~AbX zX8qYQH4sMh>g@FXHEYTnB9fWOV*}HK8v+1Ct7ToQEUFDcYM_qrPwb=rL4pIL5xzyn z!F3WS*d6@|ve!EJ>4(%nAK`~SKqtnH9;)R0pJ5xBqy3VH86dE+{j~pSsQd@h{ueX4 z;I4Pvvt|FkbHm&CIc*`1|Bv|8JlF zM1n;7>qh_oh+r>bMUKXQ7m5k~JLVtXfC3f1rpnUa9c*NVz5p~)1qiO}-=ZA9 z=lMUtpP9oc8?SgZ4nMp`|whb%wsmnG>$ZPy)yihW!|JvMA-_(i?vCv4l zQ(Q2NhHUQ$m3CFen6Ix~d<%U-A?L;Gq}EZ`X6Jdb+I)oNcfJL4cFxcUNT#lAtik_N zFr{Bs=imN#%;u8E$fL1LotkrV}Fudki^ymmPb>Z%HWuNtSHcSl)4-H2);- z%w~VEIVi0?w6c$poDckioRXOAFmRYrD(yLMyCMpj z37c-DHp;MWtRd2bk@x{euoBKKs~lt`QzSZ!VNE|i=gHF)#m5rPZ4yL}ujv0AW}o2x zeiOpg{H1ZtM@^4ajk=hjNLB9Sw=bj+dkLw`V^U|6r?TuK1ytd)8IVF3I!*qBv(Y=< ztVZ>damg+^nc6p*H#LLzcGMcwc}*4`XJs*sqlF!o!13BC4*hmc=jUt32fIsphAYT-j?!)UDSqh zIm(9f2NK2)(>B0riU<#9C(E10ONA<0a_4rda+~PR7%IQJ>LtFKmve8YLxrr&aAbfp zC!&hz{FBXvTPLkEtYI1kgG=yK=j0|is}2_`t0Tj~VNeBek~rmvXU#Qi%q8`pVP}%F znrFhMS}fLytA~@s_zch{{X8l}e7;2reN06KMCx7bUewVIlur0teyz3ewe-+=hzr9V z^y!69@>+{#$;fBzp}ltc@;;f-siHJ~*znV^B{4wc6U8Lltu+e`jd{eIliaT3tTlS0 z-foBQUbuXx&BBPUumsgYoS6a_8<=(ix0Gj=#xGv%m`)Lb2{=T3gm zu3M3=ZqFX#OjRP4!HURJpfmNhSHE)NM;}RyjK8g{Fn|S#bKY1T$|q^L^HB|9IMW1C zMb~>K4Qujy<skUp0(-$%0?;fKa0q`nFxkT3=3b;eZ% zh}iwb$of~lp#WBJ`!>4*F%hj&+v8>=q$5j>`+%4IG0*kYXkKA-7oFvnWIV;OSk7|a zaD!y_WvfM)&FR5k`-^O-0-B5@cEy%?o!A*oWjmDnCGN5T&?Jg)uGXqg`e=dZR@#Hh z7QB!O>SwhWvFn_dO8HSo#fd1avf>WReU7Wn2_o~RBe038UvBP~owlPLs@K;z7m4yP z)>t_$3){>VUGyh9PlUQ5PNqpEg8Rw+}lSHb}~)=Qe|-on(|nO_pyh-_1M}hM!~n3A}D1j1a`6Xtrm4w+(acm?rVuD{XsC zb~}eeGKRMa{zc0(bnxUeZ|oy$Mf-rihPS!>bKH<%;S}rWacGe zXIV9ioG<#MXdvKHwlY>^J9Lwr&Z&BXq{c&CCg(EdQfM*vCR&0Wc)ZRE>r?raDz?_k z(Ed|d#PEaZF5jSv>COCLe#%OA=K)mxq1`XD>%L5mUCO|%;l)a7g&{&wNUYIuKW6Qx zxfx7_nU!t*SUm!MPVGaKrl|U`ygSsCH=I2D?h z*48nnexo3B38h`4kJ23Nl+#HhcXHkFuriLkexH22$c(kBAy)j<9d_w$5B6fBEzjq2 znkl%FQ<2dWNic*+C{u}4|5ee^1M73zGqB8{mdo~*)YR_oUQ71YeN&lLswhd5MOwc2 zNLL3s6s_G16XgWcRI*Z4H(j@b*v~pqJAoiZjD!gPO)z{-NR8OJxyik$)yd7x?djRc z1TyOn^!W+YAT$&>+fa0LWFk2+PDwtasF+$%L`)UIptLf-Jh!rvqRPamU24fFE31o^ z4Kg+|Le@)%PeM*!R6$-*`Y{kwCkcV5!%K3F4|j+SA^|c+;E!#|KT3okMoWCb@YZE2 z_6M8{jSZe|2gbWLR{-5lz`-t;oujptoukiop!WtblTa%^ob!0ofE_-Y1JG}5 z%ncY{{?9Yc-##vvpv!GMH+;%>J(#e}*i<2o#0{QT%0#fPu!l18!JDrV+($K!NIycZd~^^k35@bNPT{po}XvkLcQH` znVHy`+;+NRi!!bJfeDiGA)1TWBL|51tfFlGXx8@36^+TV;xl_mt)_YxFp$PyxJi7w z%W7O7-BDK`EzZN+tBc+32te3k0JtF#29O4aJi(Z}2dba^fBx0<;nhVPBWMvPHWuQ` zmRrnWHwFD8jhqJ6uPz3w2YL^PNb#PoiaaBG`B1pk2=G(05VJLgqM>k(qh8y2ZF0}} zT8BksfQ@>Dj#Gk4voZQx9Lp`-2dHm&5dOEk;^TXi!7LNye8cCWC%B9Z(oy0$04OQ&?`QZ;*zq$|&x&lbc}o`VKhGRYgbcaj z_ODolg-x+n&y&Lk_y+}RLj}l+3CWs@;lp@58UCD~N)mWW-1zA#(&9dJB$Axo_HhNk z>Q2^kAsE6C5$R}hx2_)bV|rOs&14clxtT-Llr_UpJ|@!H7<0=PsE$rtM}*JB}JiBIQF1a zrleiEhs$C>83Kk6VL%X6xM)yx;#L4M5LCcjEqy?SBVdduIr+2*8((l8tl0c~V%3Z% zJ7wYsU^yu2FEb8m;;E|H=g}LOY{JZ>*8&(@e3Ve#JD0zwloW|v3<;X+syc=+duAoY z$6fn%iT}I*Nqf%rC^`9oLlrYm9!y&S|AX}s94Sl{d zYJgCScVmWrSN+-ips#vtB;cuP2ZV@ttzha*@NK#J)Bok+f6Lp#Pb=sj)n@S`-*tfN zFep8L>&A+<*||{*nBJU@)F(1--G+apJ)+3lVWbDH$XGPO#NX)JO}ORfH?t6&DgxB` z7t)mUUVsB$cCgRgI&(PQTJ3tkRH~et`Y|mtfdtdAl{LrsIt)fRBth{~oIPcxh+s34Pq7A$4rkQ*`n)T#T=%Sr32rtfFP` zkOwqJMH!^`k`{NyMl&Jru8@y0x=n0G5cP2P%I3_}ug#6H><6#zC+K4*Pz1ZGcU^Fl zjiQ|)U@e&EqAQ=TA>5ghC5tqL;4lLy=WCbHwm&s6O?&F-vU2N8_Tl7$h1s#fr)3Nm6U>~NOJJvaK%}4v$NBm1SNO4vxL%1{VUAT8(PTf44FJ=@r3?DK~&aorh zcD^X&v|+((bmx_$*4Ck1f)KN%+D~e!ksIz7P(A%bFD8A`KG_zJ?Z67auYoO~EfdC3 zJ?>hKU-UC)?NitJdnUhk=T)v&jNbk!yI*!Nv%|O??%4*00lawSY}Fy-z5CzHCK8!s zn|S%U5Xs7!G1!)NTD$G);FLwl19`6^cZC}_O`cQ$Q^53R;FeOj;2;(Ze>-8Z#^WF$ zmdtCqq%S0*zfvo9u905`{^;WUPtpF5!ds0%Kzx?Z5;U>XQ!jddk{LaELh9)z6;28d z*E|o(Pu}fR(E}+lB-_%1e$LX9;h`C%W7CAqy2B!>AIL+K1 zkoOSK9D*x~cf8(jwCjam?4%k8v#l>W`kTPEng$m(=m()tx9K^xF8nVC%_9O%^${0I z+NMH#tm*er4S+XZq+(Z--a=U{+wr+DC(&dILsc`JKFAT)>IFN%UKg#Y5rRORE;~X` z0`34nictWWRRE95*_7fqy?v)!UnEdX-_ig|23281+(va(y{uFybP#h^#8K1S_$zl$ za20pWbZ_O2zfiJAcRga> z(U|Eg_w|4P|8|)3>zD8VF@Ves;5ETOD#pn;>9GU%jL{e=%7N3Dra9$gLYw?P2nf^YPr*BR!pc7;<;HrGe zL5wi88_m0Yn|2x3Sx^XUReODvt@7sI7b~o{cBV)JTz7V~*@-0vQZScGYKp^x&vHTe z1aVhjn3A!#{-Jt7@KHTiALFpc{MU5VUmyD_d({T1 zSD}x*iDs?>NU&-8=-h(KyPUo`X4g*0FzC&QGFPXz;TP!E^27 zCk#Q2oo}UK%B~zUUm|U%G=69ny{1NW6<65f4)cmxxWfnuA{jSBCPR5YmB?apV?PLe zs%;AI2*mbAzjLFapvl~8!;!n@5a!^qkDkk3cm8&3Y6~M-;VsDVC61nBeP_BYhXzW} zMG=UUg*dyI5SQAmSubFaQv1yjMcUcD#aH&0gW7~?b5zZH1bSt!ke?@Cz7CKLs*kYt z{pODKn{S-hK)mWnI8iKpN9-Gs#j7rm)Shn~8s$+a0zLwIy)O@R%sHvHni*g&G}R_h zjc8CD@BT@25YtxCtVO0B$CKEY*MSbM>*co7u(3G7reH9SibWrf-Vov}B_M#O$W(=@ zHK$TsJyY`uW@n?__~czxbNnM_DQ5Wf6#|#MLikCIYkR_O(6BU#(O2}?R}@Om6lmwV z+oze`?T43!Y_Ra$5_9UqI(Ig_ z?CJEoJy?qUUM)OdT~T1z%Ie-1%Yiv`GS1i$1ml0Fd+QoFm&d<)A3~~^A=wzGm6KGcZA&qmN-sR7yP6FlVsICUT9T65UYhlml*WeA8>Vdvj^zG=1DEj+8adPrCnbDM_CWjrTI52tWiOG|mZv8Ci}=Uc zyV^YASdC-)H{Cf{mIUMecQ$_@ND!7qKS!#9s=cHA+^adWnLTEs!{)=nQy%qcdt!a3 zLpwcL2tI<*X2J{%5NW9UCpKMXK9Zf!j!KAw0=E82P3F&BZSVZqY@ps~Az zPODa%_fI_zdOjB~0Z01;aE%;7|e&DzmPh{WBD(6`reT%peQ0WGC>uEBr@}$Toq^`DufReuP zsxMQJ3p1#gXdN9|HKd!de5%r>O2vM>?xyrbjV`C>5sE__A$jjsWFPWc3N$((I^y_&@~70c&9M@`4E!KRa!N(6r`Vx<#neyg^! zq8~nLjI{d-Q`t!&=%_@%zwjtue1=xboJ99zfT}-)o#Zp~n&VnCu<3Y?= z(e27wnxAm((W02|fA~_|&qh;S&XnRsZM7?RhU)SQ{w9eAP!tK(Zw1n{NC7eVDr{#e zy_@aeXeP_p^F`E={)iNUqQ}lWL zBnQJ}qgfq5#wR@oFG;sEleF61goc~nJv@@-rOjY90nc{`v#tXzOSB4a`y-c!RvwTa zC2`?hK{cDOnkWMv5?K60aIy}ZH@Wc~u%us)!z>|D6q#9^lz1vc0H%+fkXfveP!wC~ zj%;CpI7U%YXg*AFBGN&U(Ij3NfY^kyvmUMBoM2s1)xGoOag4Fp?B4VBU3>E~LMJ#A z$uRSzwenB*<;w%zyQ~9)le;}2p{TGi(#aHXAhwY+5ONvf!_AV)(Vrp=NSxFE1rS`4 z1rC{^0+eDEyXxHFDzvs`!*=+hHhxWg!)f(E4g`Y#e0`<#Iba*a;!lo5<7u?$q+ry`^X9FC z>L=}l1xk%{rvt`uQTbK7F<9q?3lm1!3vxw6g0)1Cdh-0%94Zo^0w^b`1P95~0t0(4 zLwOyp(&C&Q9oxb#BjYKHmeF-j7w zh<_8)#lnqAy?4Etnq3XXt^=68f&mT^TNr1ZacjB&1tdj8EKmGU{kYLAB;uzCXNI|s^eO1{$|kfE@1TmeO5tyAOoWq^v3LTZn{~#| z^wdf;@1QLzW%&4XrNEajtX}-d@m7|KP}_LOn3p|%gf&4i0rzury(WuhnsJ%N_V_3H z(qtoSJl(?3%^>;O0cq`$EaNGYkQ9xXQbCbA1X>b&4$zC#&!$SOU?&;`Bev~h|D;0C zG<$UHkKJ;TAPiG!rA{FlS5JezqeGBKWV!Xa_8}0zjKR10wFGvO|KS550aqq&X<}Y1 z{G~)N$eM#xN*y42`>>qs+b7&si}lt$4nt~kI)Mw7Tk2NO~h>Nw>Sg6*IQ};)~3Lj83Jg*S}50ER)vv60& z&H5fP9+f<=VN%0$!drI~({{vWpxz-*EzyTD?Y;W3wOFmqYnx<{ul^`R`y~ypW4OY@ z8m*3`zeQ(GsqSx(X|)u4QDJNOKgN@CLd%+A!5gZ1oHQ0=Aw@!e8fSnhL0e&`C7iRG z07y!JQ?4}NU-s9!10yycA-&<>AwlWoEP!Fs;kIH+H|O>Y^O6K=g&AB+=F-MLc+gDq z>`M0!gW`_M7+D~|UTV4w&1^?`!-JC~G?boAikksk)6Wh$78CH^Ejy-e>?ip|7uWKE zMYqn8Br;E)xyAI?g+vMQRVvxpTsMA#L^0R924OM@Mck#t{?U4M4^eD$K$zJG-Dq6^fXbi zIMi=NVCtC7o^_#u)=9{0Gul{(01sfG`dD}REfom+8(`=J^N}J0HYC5 zfYJh`Ndl;iNrsgJd!d57yAghpm1Y;;Q_Vkm2_*5XrZg`Dx70DkBc#LhF&qVooQ2Gc zUQxj5PCWsHDaNe)MH-Rj>DwcQNWs{@-vPRuqPH;eBSxvOzGhp+|JakS_tAdvJKUZH z*YUUCoK!1pE8AJehg6Y3z)GxUw@q@%m%_Qs(4M9I&|ZhuDZ188elhgZ6Vv$HfXa@- z2g&${JQRS3fM#Kz692Jy!jM&uzGR-bSX%{&^wIu`WRkA(i_WD2xOm&?P3;m{sp}%tNUmv6-wL- zbY!JuvRGYJ6;|3I@eilwaZaEDq9jRUIX!z4yUn3A_3NH)$ZMsec^3j0le^fw(GZx} z#6z3ZcKd@NpGgp+shuOb5bMaZro+v6YIA-lILLWyrY~ zs#U&;bN?EK1d>z4G?5t{N^`Gw9XF5^Y(J{?8V(ifa}{@9vtL``RTv3i36Kvp%xft1 ze2mZ5nh?xvj&+CDt`KEYqus`=t@+0Y4B^zD*e^HtZ|0%vhbA5>*<=1dLM%+;L~lDP zZ27t~siic_XJ;HlGU6pvN|aWeM#a>$R>~k?Rk6&6%8LfOGPabb4v0gy!Si!4OE&C4 zptGRg&(+(u8Zqb2u-cSeyD0{O^L7(so8H1_C!-r#Gg=y$yJ#HnqwuqUv~vKID?yen zqt`5WI-|F9!W~Ok8kb^&WU;T=$NfEa;uO~FHysRziqkKs(|n-3~y`aP?qmrzT2~nLyXBu zQw^43I(3jJG|bJ7$fw3LnXVPK+E7_BgC^TN%h67Ie;(lN`*<~3lPYkRt3j^X?FdaS zpRA)KB9bBor>`L)FC(1cRP;&9xeu#2Hem7*HgXM0yQ$tF)>c4YXK# zmKc|(MHsQdxIox;!jHI6OmmXEKiWO*FXyVDYyH)uqxS(CUiAj61@cqN-weD;)sJFY z`1EiJXgK!G9hVyDmD_}AQXxOCrZ*#RA16q_sFo;$0yIA1wS{+LY37#HFH?u)K&9?n>9Gf}oTZqygv?H$sb{Us71V5zUICczW zjFjNlpk4-LuUsuJeG8qaR->R#`zr-?; zb(6$)2jAS^W}P6Ta`WPB34g9^opBPcH2B%@F*g4RGqharW)!Rfatd}6>}-E;+I?@z z4=cHEw1^Y%;%5B)hmcY{1X3K?yQ9xqnCwBb<~nIz(d&iU=|9a881}9$0&`;?32SBU z%7C7dzE##t+(*ZM+H+-4gCUbT>4t}A{PRAGuaL6I&+R)!a9h&824ihohl1;jLdV-U zrCVO&Jg#G>C*LqgYb!c=QKQe01D?h>2%FWuv}{!dH^e~pYDhGex%8lR;0#!XH0Q7J z>wm?fUrVJ-_nkNS9Ti{Lvf4hs?v(B9N(=FOf?C-ffrShHTqVFxESK?>EZyt^F-)EV zF?`n1gUXq?)l?jnJm^H-Og{QjE{cElbO-dQCgQ`QdQ$Jod_P)ebx+P@7Z~dCb|R z)DT?FasEU}es$q_Fdw3#-Fm!R(~@dCuB5cDf#pXEv`eMEo;B5q0Ypw$(DkX4W!J4r z9o*z@F@HZ+GF?`akB^95$g_I6zBd&*wa%XzyZ43tqj2%$zI?gMriuvYP)C~GPuj^}nsOG-^{goqGLZOYJjiJ%h z^_3-g20UM=`ZgL8&>}#VA(z*qE*L$pA3O^RQXKz1$1Evv{#_0Ie2d_*gKks<1Boho zBl?3tY*Y^G&~$DafYn=HH?PjiXA@(INnT^YYA{1jRQB*#^4goPbTFDWmDG{KkXS6k zmyIgj2(`@8)+Rd499+PJ*Lht1cL-8Tr?(R%!}@g7Ma%S~i_c@T(n@P~KW>W~EjY5r zWl0z}B%n#`M;wxQ1fn$$1qiFwF}Y^Yy>K`)A?XlEy%|zn7Cro) zw`c79-pIvt^AREo88d3~m-}&q|0q1Z^*@go(eVrD0cEi*h0S&{hDtD^B+x7*Cj4Lv zZpSqEp!kMI?-tDZvJe~~vy{~a*25d4=fj!nBZCpDL)`E{A%{v| z0K6Ny@b1Ik7!4~UM46Ub4=}ev1EPh6__!588OJe-&^yG2oSYt6!>by zyTU}3VHKQQ8e6_)E~@sjs-d}-W=>w_GmWyxfl(hiDP~RbzcRSZw1(#nPcXA~Ie+rk zA*od511A#wkb;MP@;imfjII5xS&cZWz)?beN$Pv%%tq7qYP<2%&P}44aPGxNd!d5k z=e=I$7sI>o?S$my#)>+tz76!pv7#;?Lawpnh1rLQI;hNDJE{4YX2$j^%F=`vl#x}S zxegwI@8Yi5z`yfd3lbg^7OMZiT1H56(U9PkMihkA*l(&XCnan6WxGfw0j1zoM8QD) z$$`G<=`;W1qe-KDdjm>g16HO-pa=gfW!$RXZnkSd1dJU1mwQ({8g!i+Ol#MTEA33& z-ln>sX5A>2{()wqc783l7k}SUPr+byV$OZ#hq2Y2AFwS&5U$(JQlx?wK;;ppUeBNK z^6Ppq5|lf2c=0Z$jn7cD><9(LBCJl@jM$v@0EQD_cX@{BERc%V1B-w$$vwEfno~V{? z>#Eb*yQx9zq#by`qu`DtTB!l*u!zw0U$|9=NHH0BM}=oX*L`i7AUNxz>?F~+8;r~e zQa-pM@vsG-&fcdrH&+Dh_!-KvDsxAR^fqHJEz$~L;^wcn|#B{`N z?nYDvB`Yovr9}PL?b0*nvrL8fl1EtY zKK*4#%>v~^4H{D0Vl(~Vq1|Zl)#*G0Ze+;S+d=Zr3g}uHbo{FyBZh@Cx9gwml;Rt< z@_ebZYoAUw{Z53_@|r}*lt7{_^b$!!$J=o%ga{a6ahpCkjtBir>TgR)n+somKsgy> zK(=mPYGejoYXr3$q|<5B`lAXdRk?FZAPgSn&4}gIAcS=k!$a{B7?qj^e=) z9-Zd#zcVb>cQ_NO*`wPc99Y&LE#@5LTCUOKN13mGe|XBvOZJ%cIZPUdc#V&b&Q9aR- zkvN1Q$uQ{mFb`dxziz<}7?5Ack>EZ$;d_i}N{2%Z`O$<3Gx!3ynwq@$I|T`QT3V_~H%d zWCzkT0Vizv^!)O>c-es=UGQ5k!GNZ?g!>-^`!WgwPNUQ6vt zYp%eO8F@tBzHYp+((O@+8DX^Gc4aqADAwhS43XDaU9RvPp#z7-+) zJXa$(D<$#V`zdGZV0I;3fgYWwl;uB&3kfNTuCp)sikVO^Sb4dQ43MAdM?i4z_`JN_ zkT&B8-+YqMGbvdbz>F{Hj2-@)F6qQh-v2cnb>b?q-!WEL(L9klhM?L)6cI(Ene=5U zWd=-v3ru_4gre}_`6xU8HnDt(B$f-xVWH>GkkhfcN7g`}WFvLQdg4E#c|$8aI9(9) zNAhq%Cz>c0{3sMxj&3kZEEp7j&{y?5Tmu>5gIcARNVuIe8A^&XXwBZ2ZVA$JRgrXe z+c5KeuDM`dTwTf67({+3FRU_t&#Ru8bO!MZPJqQ{K?-rq$fyWJHO7)TF)INdt`ntL z)dH6T)v37pU;p!%Ooa-13ycuBN0Oo>N1a9tpZDKgo&@k!1&?p6LXpK%a{JENHXt8r zuTBc)hIh|~ER$#|6luBRa5tJ<*W&wRDokC--uG@K<%OJ!b8MYCda?MXfo+|VU;mvK zqg37U?CrS~P2Az=J}Dr?1=Fy&hvY(d{>DH|fxM=eoUY(wd?_5tCu?Am;8!gyQFeF+ zpuiHMavXOD=X7#BfY@V!h?jU9Bk9`jv4@7oSTT0 zN;d8LhSG2;Ud9)&;abTw>?ew@WEJH+L zzEQwTKz_)$Fh4S#obym?G0LU^=j-n|)~@up!w2Qv43mtYeV+b!E?Ma6|(SX_4$W{_B0>r06;SvZfZYeUYXc{O0`Gl3tdGR3E{!9x}PX{=WDLlWH z7vR%DMZiHWR-K+)m9p%M`Q&~{Cc%{6RBeTy?LG9Eky^li;Mps3@lx2Oov);`Fe@xN zqn(phhe!U`UH+oeHY{uWVr<>}1VAUdtwy-k{ksNN5mRJyKrN>ZT)2-o(uAQQ(_d(4 zfkBPOXzj=$+W@9;yn`$qR(R}&b7*yun*fW4X9qVB#+73ow_8B)A1?ZJrXe2KLJNEi zV|qv@AcZNjznt~A_7<{7`D~Z~nc^#iJ<v=mR7Qq z2IDX6zJIa$ZBsR|AMb3bU~r+kzAne2I5$|X0f>nAVe4tMAk}aiYqb8eiGd5^l&)3M zg(k3qQ^t*nJQq@(J;BJ)JcQWnW5$r}qIOxVzRv&AZxM4Ib` zYDVi-MdxcfduA20iB;b`9(H}-vf_d=&k~G&Yl(hyJUO+57Zm`&oIpH<1%E>g?7t$r3-Hfqrr$w5#;@@NGAA<@xS&W4OIki1Ue^^y0+T*~j7uexrsyY0h*tB-5 zM~b0ecJwIL+YB0)D+OYtxoVF1?wmR0+~uNZo7?{UCI6`(g+KA&Ns|7S8MdH_yJjo2 zFim@}U3Kymx|=S{n&l(w+$$WkCEto~6HVq@NZmt?PKMUlw>OZ38vv7m>JP(0r{`;h zLHc#Dz=U}sgci!oc*~=p9jRZk2A*Fsn|>)1J|h>zIFTA+pDdA1q_B5TJRurh1C4;; zO}I5yuPLX>L+~OMF&bHfwwE~yR=PN)ED^vrIA_~jh( z6wdhr&NCgzv*yW+sjj4QVV{@y{MS?X%U)flpJPQP;%Z}jU5|I!^B=QIRG}(9;Vk9v zl>2_w(6t`jjEKy-UD96!e)%vdz>FL-qX|#!@|x@;uE%V;$P4U>#-vWoQu(r+419{z z`60%@rt}!I;TEO66GH0~wSmX*KX&A@7YRd0s5NqWfmFD-9*k<`km#?;dZkCxWG9{fa_`W&d9hNM!pjWZ;)*POh;XJ;SHX1)nXt_sf|bzNZsq~2N8aCM19t*+ zF+^HTZ~=sb!Pw&!m^$0%%!M#`d1yoLrN~75X0RY~T7& zS&D(=CVIaAPk6>qyp?Ro`I4|uIsG)H+cbGFi9{AwicuxUV&eo3Nu^#%PAqAtzY6MW z^8uDTOzRS4OlaP^KNY-V7CgHV0Z@&f_1Ln((*q=e_1eCfO`wEGUMnpO!zwbd3e@oa zb?R{^wq)wyvF|+C7V&i7oELRsa*#TnJV_jyU4ju!e;$Q1=11O7y*d=gf-Vs0vowtW zvi;3ipkI-7&+)H6%Pr)P2?Dk2#8BRlQbb!83M<{;q}xes4|D1vg4>0z=5N1ALPc;| z2dp7sbyObf@l=+Vz*eU;yTc;D&FcXekM!RH@vVo}ZR->u)8=4RkgllFy83m**?ani zp*LwtCs_kfweDHj<`iK^&Su&r|}wu`F-O!yd1(uiFv1%Ee;)e!o3Nz3mk zwzcPWakPnH(sKH!C=IDR7u5w6_RjeRCTZ)2u`PkNlf-YG8z2qtORks9!w`P4zj5zv zI|u^cYZ_oeO9Le{2OOg|lG~z!{Ml^_yKMy-YUnS}a;Hj$*hilq?BC8U-3*gIouSd( z6wWl~{cBh)454+#Zz9z9Txhu)al!?ZSaEJ0_h6OvnMd!A-_`-1x*i!_kIW3fTG)Z5 zcBO;Ke=sv}qrQQh2do0qvaG|bLv!19?TkIa#vz5t4hRV?pi8hM2hu_5I7ESJO_}rq z1i~*H71{Y`nd}-)eHq!kZc%dQTTarA=Ya#d@ORbSUQ-&pdl=hOrH{Z)E?}clzj+R! zUD(J{;c1MwXmXsS^SAP?W@X8*1**4n8tc0Qg=PdiPGLQrp@oxFA_lJH+8i>gI&H)? z(%tYRL5PV+46Q9a@xxum{HjK7|AgPV+rjtz*I-OF^RM=qGXjWGXiRrR_=ptEjzrHs zralmCbHN-rA%<{@AQ6ouI5G~cD1+_SkW^t2zcw3$INdDn*@>!KJV>w^X7X<2m#2)z z7&MX3b(^lpg1slPHC(5BZ9BWvw8^_=r~0n{UFz06{?co5N9kXv5ZMjixUb-a9*sC5 z`D%(bc~nxHonZJOS+N?9@DOScqLQCSXjEoI+eMyLz?%os-mh_6D z$ooE$V!DvC_swq$39rm7`iHNL#G%)x?_IQs!W&*8MP^81u=4c>|1p~W8Gr`lYEDf- zy#hh#mnD6zx`zQB1f*f$`V15=sL2~fvg$>0mw3t_uK^L!3M*mXa@}Sf7?=6T(Y zrG}j6k40Fe6upCPAZqgX-CVSJ@U~PB^^ROFHD?TyX-O?3tVXjaa>|-?D9n)H(a;}@f$eOTf;Eb+>TxmkQM=ffQFjn z!zx-dz~ATU%KacUh6h@r2e9Xh>x#BF#2k$mOnLSTh&Q zrrrA-58indxc?<7SWQmmg_NVqXh31ncEG7)r6MOCL~O;56|K3@qjbP8bsq5b?ND7h z->TGD&K(cLfAlc9S~d>x%4P|RZtpmo@1QN%&ffhx{6JCjBJ*Eb-}>A^Szda`m*uX& zgiL5o@gO;$UTX2X+0FhY+hE3}+Cn#Y^Ozwghysu>4-}r1w28r=K`1^~#x4$IT*?~y z%ZvQ#QxlCj(rGxOID+7`PF|lcdvHJX@9(F4Ac-M2^cOx0u6&PE(jcE0(4p0uet)+!^l?W_m@5pvg8bzAJwm8u*R7ra&I zuELj#t8DH+yz<>yDg;-QB;8J`F_};*le**YUveWsA>_aLWP>mvR2b8Yyt)~YtqMo3 zE*_?EGLMzmh$Fb;R0iA?wP^@ZK^r44dI)dz!jd6X6=ZErpDJ+D?be$rMK@THH=UoJ z2!PgzEU0?6&TYOOPBt!sKCHN@N(XmnkTgWZXZluYezr;b^7$P_CEt|Yxq=W_Lq%(u zTS#9-V@M{*@M&2Hq{z(reyCliS+2i9eCQ`x>b6awsHS4U|E0zP87R>ylg-#Dn)`(4 z33no-T-`uSZnbA;pl7BW#&@N|L7)5ydOr5)Oq(C@Lbn{V@4gzEC-{XSI@iVJ|8kzZ zXMuvF$U4vnc;R&2Zb83APW6&~>TG1*l zC|}O+oV&ahMBcQJ&5U#>x-o37a_mIaMse9I7RZcPy_T-?YS~HvfpkCyzY+T+8mtgN zv`>03H9Ytg-M_QmQaREKLQ)!3HY;q!G>I3Q7lKM@kyEIW5{g*F&h05UL=i%eqL^Cb zj47j#>tr&+hz&U8pG+f8GwE229d3Y|?rxud{NMK;-Oe#iCuuv6KE3?6w@i6d9c_Y+ ztjt5wxqs1sC9;^jG355#h{C3lwLXZc%Ry!41N)T!d!hYH27L1aK+HtcKoKzPjZ#O5 zdm8ik-?#~@GpJK#gQc3AvzX}`{~)oVw&XngV6_H*e|rXA%8sH^H`=^yYAVM0;dQp= zKzI@-U_!OURS6P%<~GPv<$q0-H&ws{T-%h3=2T~0t8on%u2{mN>g-UxZcry3%?<)I z3*=u?6nX_~!1=n>1+&-}o1y!qtp9m-xUP*;;V7!W%${#ca?YO|hQ7c7>muB8+bs&k z*>LcG^OuVH8TG|c@v#&-;Rc4~!A)iqTqFAMM`*$*^|VDVQ#Z8Hx_)3=7(Z^`j|s)U~=6SSTMWNs*p zEynYJ?!u8_^DG;J3}N8wT3=%GL>s?0@cjJWjhgKvP`Onlw@WN(J`!4e>|@L;OBAya z%e{jth*ZXlL9O9!f~bGtV8%Bi6B<=xO#0(@(n`0FyspR1bkLOm2kA5fZ&*%`nrx=mWuknnQ9T8(E4I zIICvkOP0PSm$}^+c8Zo`WF*nw?dKiHAMfEbW={YPWIJLSTKhNikHI;tjF|@~1#loX z7?Qov-c-{9@(mtWrV))gi{R6r0Q-NOtK}Cs_oH=18NSu05vK1SOhUB|jJ&P(J*XXKk>ed=0_WA)sP^ zeU@M~w?vi0(HzIl3>JlPV70yU8d?b%*3){tCGEbtmns&&_0*8Uf+w#CN04mU#d&L> z6AYIEo0@tXjlzejIOFqh4{I;G)z-;qGl2nGJLOq&Pjwe5$Q%k$a>SiDF#)r&Dg`XW zd?A$>oktU-;2!Gm)3OKE-oOD3*7{v#m=Vd01J0?pNBW^AIr)X_S0`u2W`B`ES)R`_ z8n{=`f_7E~4Nte(Vr|GC?x97kKW{J_iA*hh!GUs{qeIxrdvd3pCg~$f7-db3>WQfd z4VwAn36l8L%mp}H0AsIwX}YpX2qI@1_U_E4k6%*nU~X;s6gP`;En_C9?Qy&xug${4 zuP64?(mdrG>I6Qz5gluV!AyIO7SCQ&Y4pi?D^?7sVTq%Upxq7RAl*4l@u&v*#ATW; zpy}Xd-y)3^s64-p6;(*h4KOF0qh{5-51PDKM=Bg`Wi>JP$>i=uA`M|a>I@Vb0>MX3 z(YQnZqx{`VpCVvn|BJ{!KwUI_8d%~I)#uukrtcY|F@&@Jpop@I7Tjfmry^k&LLv+j za|L-eR&b`6!AVkFGIX(s>V)x?R_nIDcr6wy6)fT;`tm^J(}4Da)$htTdU^@=nAvn@ zk(%zvf+x}#`1^0#;`OD;7JxWX{r-lQy=6MxpDt{h&t8cjV#{yl1^Pntc9-8)I?ffT zB#`tiGVX#g_W`veKARBg>@7my%-p4EUFoOXmj~j&=ZS!c~{;r|lg%&RBJRY?5DZ8qz zlTaiV>-q-1h4=1nV6_m>ln_R;p#=C_Xt0o^n%K^}$0e`zMO_ip<{#rt(Jq*peoO&l z^7}ST$D^2t))7RQbS8mOr0diJnL#D+N*NYJmzzQ>PLtQFsgK`{w><1DD^g>VpRADN8^Ne8sa*h0`R(VHJZL5=F zhQ%*xkfM93?@G%PsVsbim)}Q+O=7=Dw9<^rkd(Kezg97WN`|p6G6=G?X7A*zb?`kH zEXBOCQF}Glv3=22a|@Rmyrm`O!$t|xW05jFuvjw^J_l-^uBZD4EB$j&e_Rbsq&*;r zEkk1!DzUaImuEEU{&#Y^)PSofO>2T1i(!$e`R8=x z7ti+>gRu_wuis>8@QEDUN0U%|JuIY1-jYA!wAKKi^4Kz`1krFcLInnzk?6$LD;1DH zPPR?EcUB$g&Du~s$$?}QLSAtl7xXt)dBJ8HJd_uG7_iCB^}-{GtbV%9D6076tqo`& zU&1ZTq}69_0XBEK;rz16Ew$@;BhaUH4h+_YgL^HGkPEmjo)2|6jM~mO18bR#gj(63 z!taT%_P!=G-9m70P6_AAvN1$~=K>lrNq734CJ0b<8AmyV7n_Zo{3E@_PUPF5e$WC+ zq;Jh;7Mnp}%Et9aU)4#=QFPPXC`$DXFvjOC827|OQCZib8|Q?{i73YE#u__;Z@oG(f~g)<3s@8<2D^39 zi`ecKc9oOT)Dv4!O`uEqmY1gI!TXYYg(DZFFWe^~d$3JEbZAE>Jo~t;JG!Xf8T8>I z;!e~k0YSBV#MXK_2e>`PYljx0+wsj!kM_$`HJ@tfZ-v2)r(dap*_iEBj&pw!-Jj59 z{@DHc_KmlNW&%rcP(RazddFR%-k17O3u48>RV53=CVh37B3=*VA}%zFx;_Iq&xP^6 z;bE&ju?O6|=y7qKjldI=It@^|E2g#HO7#Y9Q+_CTMvG50YafL!YGiKw;youyIw>0Wwe-oGpo0rEHM+;wP~Dc$IW$=)x6P-EsJZN=MB^f4Fv#42R}3ak)f>KQw%;7>kcQWCVZgAEu?NUj2t?CZMdYS%XeCrf_c;zy!BC zX{C(HIa+bu1i5k=>*TpDA<9pH01S0yWN5si81=T03|XuLpunb*x~|lV!3^QrOBv>HIZ#?^Z#OyQXA#bA83O8or1-+Q`%&hz^@W%;5CL4Gt7N?F`h`hHG&Nq*%Q$0W1V#QSt?MP_TR#?Q_B5bHZ_eNOy|c^N`!&gh&T~VIFsv@ zr;QTX_&xkUsdHqqW-o{4vUxTD2%Ee|_%|qR5+K4;z^ojTOM2KN7do|R+i}>Fq^&~M zj;`C=SQHgxb5LF)Kl%3+?}#AfrLkkROi5H#l`z<0_<9$mz}DRgW_&iUXX_;)SCB}5 zvJGfoM#%e*Tt*URE1Zg=h8+SLcSH<(vD~1d!}8F?N>W5o4;@t&T|%ZyBJ>Crlqjf{ zXPZ8izjcN9KZ+8*RQa_a0Vq)p=6r^-%RuCaNQfahB@LE@M%i{HL%SII(8!j)oGcHN zD(;&)JB}XH>@xPbHdj#!?ny-&mu~l~P|L~bG+rW16KU!77N)7OQI_9S0URv939FR@ zE?fh9+U03qArFRCV{B8$A2(ohe#c~TMYj1&(tKLK$ltS|5Sg_YBoHm926-tV-P##s zL(0?H^g4)B(?uNpfskGeloA8e5)SRaa?fP+yg!6coyFKt8FkD4z_K9~DJhpruRuet zereXBq;D=YB|3eXM{ha=eS}<#j&GDu1H^43tKs}C@dh@_9L?J@VWEt9v zv2B&P)O~Yff;%u*%|`jkRl)lGhr4npHq~1zk%6k0q=X3vaIgK@3IuPp(r4>19xNQp zB@&|vd1(dv6`Dwr?M|Jt@5lJcHKG!Jn}B6j=mO!d*ZB*lzz8^f`FmPHYgkE%7AIn^ zIAG{Znvg>avcxb`7B$_+B7@&XBb}^o!=@iesD}JGmyEBE8{FngKZzc25yg@Jet~cN zriK)FgpboEwS)j~W2qz@5yLq)hbcmuenXc#Q#D~l_}yZ43d>~4CW%%8{MoU#x@ysz z)cZsDnbxBF@FILePfsn!Br}-2B;yQgL}mn(H~Vkmq_&E5hp2Yo+i!Y;tu?;IRhnz0 zsOr8lm+t;}%V@ZuwKF$y&*_(!4rS%0xsM~-8Hh^p$@9C{0x*g-ZG;A^hMXzNQsAbP zaS2p^@;JG4z?N=r`>M-QFDtnR={)bK;MnLN+7hraQkNQ;8!QI{Y66(zq3uNEr&)-H zHNz3aAoaMiBcSXdrfBu+y3~=0uAv@sI!>Dod1RZ5#_Mu8xY@U=RRXXob(%|mcZ(9V zL=VmtpmuNmzH87HdQSyLPop>1OG!JsTpBkTEGy%d%I`;vsL(Mss_q~zzZ_6DL{aSEo zW|UT~Z{53MPJ9(e+3J{xaTBye4${T{cJ|Ed1ccwS_G58Hw$NNPSzpan3zzob7wkRKhsti%g+Ryxky`$dAmA zlA?I32P@Vg*kuO6LqUoq#lOGs@> zbdhS=Zn!jowp7(0>iDILNaZ(~mNy#<67{9s%@^muti2 zp80YQhM<@c))o*%^#6`{GJamxd`5HL-e8Rlqi+#?RREeH8m~}Y~JzNj_&bwjg z4FDEu>~r2XjN&D2r(8SS=l!H-#Fr$s+R9aCLpZ&TiZs{YPihIazUOkna^JXvm)Eo& zYc&Al<5;Ycnf4sBhT-yQUBYdgeI}xNJF8$I`G+DY|8%x(>xZNn9CMAnw1T&%iB!7) zx6v`fVa5kPfZ3kx8%mAJ`L5XuWkwGIW_6-0 znNd#qkuC)?@R`bT-w%IL1l*A2&ngykI~}(^U)>y!(aF#kSLh+XR47+8=C#^H?Sf6` zPOF`FEb@{`OzxuWjYp}@DXxePJZ;regQm_Jopm&lZ+4NcA$;@OL=K<#@sS;1_ zEXKcDJ7J#1k|eICM(>JB;D-jSB%Uf|P!(^$)$1Ga*mGV&?scMtvU%v0Xcz%2z^0^@^ zjTaKyU0^!v#9}jHf(gr(;<- zO%KLuQ_5ZuL%D;O&E;CvG@e{d9vF-&IRE+FM;^NHuPNNXEa(6F=ju7KrN{L=E zxpW|Uo2k&5Aw>TCi14R)o0=XF8pqaAp!g?UkG^ZwwRt5!HVAvb@qR%&DgZ`Ai8Df} zTV6t7)S{p{C^B;8b6#gK)Oae2f~S};=ly>$gvbF>C^!KWQVM;6JDjJ#zHQ8>$35HM zcj+3Bo4d^~JJigQe2KR|rIZt;H`9Vk$Zw-4L%&_~&kr|ky}Lqtw<)=5g)`MZApR_- z{35b)F9h>;wGKWggmxm`g^*uc{y&AG4L!9)b>c3{W{#*>lyxQwAl1~ofD@-LTB#3k zO>2g?f3x#hi(@vdyFdG`eInU<6y_Q%3UD1o_3egkdqg? z`{!~`EEMVY`ZOviEByTh)(qvY$DWnPHUoZm6FVpYN$ecMeLtES>*GHqpi8KR2!Djo z;W~vE1hE_dCfG8{3LnH-v-PVS@GC8cNQ$5cLiyvFmD-zI1G58HQAzceq?C~4?_cW5 zqCCPv3fe+1IkA&1hp8!oM?GYTEdG$aix=N#{fi4MW9*i4oU3pyvg_pLc;m&=;kDk%lip!IWSO?*>j(3keUU0PJBUGQ+uh$dd8&n-{ z73z(Yo#`wz?cyrplr%4|0#~a_*wpvFPm~VK`z&Lxw@4%af}JPG%AFQV^g$N#Q|j-$)Pc zx|Hl5jHGak5vAn${2bRq1Wwz!jH#AM&GL{QWl-Wu?Q40n{d&-as3s?rmTo~$O><9Z z&_NF_Mr@$D5pg}4G9Zz(;HalX_f?-)Hlzjd0JZ3oF0#yL$A!v-$N@@5f*M1)j-~dZ|Yvb9|SAA}j1~oDq(5 z$*4H~?;}+L8r{1qbcHYz5xS^hj!4b_RF}HgvUP2{2;pk0Idsy^RRHL2@GgcHwgbgP z9s^7wVenq1QMw!;Ge*`H@U;ddPYw?bUi$JhGc){&=1)Nj?X%7-x%2V>84t6bYiW93y$I z7XRk5S4UW>;dRx?CG-L_iqD&;Q%!ACGRk5b2XQ=QY$64fqsnJtbR9P@s5DZSU?-8X z&=cF{o)q})r#-~s8WTy-y&h34{SGCym~>dNX}mMpgbj`CW!1IfSPO!C?n1t;xq5~s zY`V&M3i6hF!^@fnF-L@DJowx{`ZGmEcN-%JXB>P$L`*ujF%I9wv0VA+*~ih4ahRq4 z)qf5WV`1XxF%rn`y~87NEqZ|I+m(s#H>3w5slT<|2E^Z5($Rk#I@j&w-5D4eih0zz zQgmB1f6*MGwLBXfL+07ZMvAKJ0PmSHE6%1rRKc^}NsAxUgK_S;e^yaXV6G?5>FuSX zVBU;7ck0-N4g{R{V&;HLH{jmtqVoIo-6>@mibfQq`;K|4Xxd1=kaN~ME0O3&m%pMK zF=5p%s?Rwe!`z-p3yl)-G%q|9bbutI`>3)V9EB?flc8}1EZ)xRF@)JCrh|>wt_kts z5iz8*b+b#!Fq)}b?5t;Kqvt-G_tLZDVAEmE_}3(G8D)?Ih#J{bAJ+%Wi#Xv9)^z`j z`hD|o1CDCIeB%mr;v1{rDNZ^ikQMfA=4Qd?Kg&WhpQ5(do)J|(O3CAYdAinw^(!uB{S{tEsi`gSAO|b(oxaEU9Z}ysN zJ_Gwq4VaN$Q4tNV%?wY$SUCapG#2dAXgQMnL-T9l zq3T}FdB{clHboYgZL6UL^W6ObvAx<@M7Z68Tg$PgQyqBUU=8LiDnRd)OZqh~`+9PVAIhl2Z42Vf>$Ce6KzGj0L)oSdtbza;=Teh^Zw^dtZaC|Yqni#Ws!n; zQhOl@OQ&WEmpOP|CD*u=s-)C>zDV5j4klcSv(g)>)3KkXGdh`1sCcpdco;8@TC-GI zq#|IDiIv}_ZH)65dzcs&=+PX{-jB_l>TnEf=`ZkmV}rxZtn1CjL2zQVsXiHq|Cv}eh<`WHLk@MaES(pTAA#gBC9vH z7|py&6L%d)1SF{@Z`2>b3@Q5`q3Ak827jlQ3^OUuOTp>^0h0l3hfvlpK%^zpLAR37UdC1TQ@ zJ`@fUM$n>m{0uDaql%e4)C0`+M%3}w$#k-3wBb3V?}2WmG7O#&SxNZQ#4}|r=H6qh zw2;a)*RZTMg!`B4+phM~v*we{iS63JCKoUo)=4g^1wu;abT}yfX{IiEi_Q~!Y*se2 z!r!soQQk`TYJcbiJJjipH)SX%D}u4Tre@sf8#-VB=ektG28LG}ls{g_;m(xNMi$Bs z2=Ozvg7;G)k_rab$UnCC+9_;UMN2Wq?v5)9un2gb8mMPJOeiin61f?x$q!C+afsn$ z4QKu@(ny;7UTG}xmC?Dfk*9Z^>lV&TQftfiXPe)oU>1#!A3rPB{Opa3wT0K|K3YSk zWrNwQzP|}$b>06W3;9{ZKHD*n?(xMTZdqbdESx}|f)9^^6~Snlz-d0fXdG|4Kb{YT zH)Veh%3z3NBg{=#Vj8rV7nw4LAlybRbVATtymaX~deh@m6SFx0;x-g7~Da)rSigLawR z%R|vx4ClvWAHiweT6^G?U?d7*cP$o^|FvLsf4cnCMy^YnBJU(VF|l8gV<3=33tJVo zltjNW)3dH%1jX%^QXW51r%b`lq(nbpOw(%*UevtFqq}SBA$Z*2>k)hT+G$Rjhuqrh zDY4=_WZ}pGF0SN!G>eult|xxFaTfS;O9gIvn&#ELoBd85->i$B;?$JH>?*|rKd1Rl z!T;sok51DsC_&j(zK$hF1gq7$@3}ADhSj~4U!H-DqJDx=Iy17LxySjE$s7ggvcwG! zZCiDXy0cLWTgbDMFq1f}9;f>Y{?32BmY08&k4L$kcX)p6r1iK368r%uTRJa_5Ypfkkt!Ia`B~M*Lu&CyQ z$K!amZBW8;f}|#cdsqXTO**V6V>(d}AWXqdZT+J9kr9x~bmfy)axIk{ER~JyT(wWS zq#yQR2wkXxM#{TvcDTq^*1aFKmAI_&j9-_`zIM%_siS-v7s5R1M~r%TFHFcM(rf&c zXzTrowCmU1j>x`B$14Jz>dxKGcTM5o5|DAhk~*;&v3P~_^)sZEoq2xV_}CG)J6Ece8JakWky>v)xmyc5&XRpT-^+1yh+>I@k?(KO$jt!*9-DV%5+}{%rqixP>e%ij30#0$p2GcP?_3I$_W<&o8dY}%P0-v7&Y zbpF<7Q5JZ+W95!bZp|uHi(KYz&F*pcBqf=*LX}(9!xh6nDUwK?>kMF?AG7}FWAjU< z;msKA;Uiz_6>)1jFg%;UU{dS#av9-rJ16LIdXyt|{_rMHX+jIZ`9A88ert%*rYggQPDlB8F{80Gj1q2Hfb^+CrD8nE)3Qv4mMfk zgSX*FO*dhNFD|$}?41i-TRS0shc{x|Z9!^&bNLo*p`O3W#-iP*SIBIvKeImfiJ0Bc z2ctF#?uX-gI6?1Ew{9id-kh5_jZjX#$z(mxSr@DC-G(3I`b_t2lilBn!*KqsaJap~ z#GUE9kT|i|rpl?x0#)VbUO$Ri4UBXS9^?3ICkfq6QHJrqRax#Uc#tIj6fgGLli2o3 z>UB_Qb#Vwm{LCl~va!$@xr6BoyC0$$bbi97ZUOq*>af7IlMQisMOu0FN*Y*_o2($q zGD<@xGW+V)ED){Ee(}Doy|36FkR@Gw{vPa0quA>(`Q|}0#s#WQZ zm|^h@C3p!l43e08pP^i0zRa7wAtd1=Pjm``w6DsAq!HU^r(zQtyc^nak zok&o2pg1r`Xgsz^JJYGtZJs%dYYj$y5*s8hUfHYI9LZA8W3ZiZ z7~KAGb-6Z-o$)>)WV9V-$`Z!Dmdk?-TvYPl5Zj@OS7p*yWo%C>Hdk;a3wi6|7W-TH zp&_=cOS!aNjk`PP88GAlA=mvS&+dDVZBeJ&s#lByLt~orsaNH5zwsZSkV4k3#?zg2 z3^4LU75hKHp9=ahF%7RxsxM~TRRsejMc8n%lpOG2IR8@?S~E<;-L5D*=Z5FYnPvYV zGcj5+O01LMl&%-847t~VmD2f~7NWkNxD77DT@D{MevsIv72d<_8cYV;EdlTQG+>l) z>#9f+oj--%Hd}m2vlRY^`;PUfKbTb;=Le}x_Jh>^S!T`us$YYtnLBf#jXZ;9*C#|& zqMC!y6qcNt&uj+-Y*UN>!oso%X%zfx`E(ZXd@Px;IZpDPx2w4@-E(HUzIb-SSYiJg zbmE`!Ybf_j|I01gg|(>m2ujWIL%P9oP>ufbk;EwC=H zQHx=1uyd}WD*J3FSGi#=OzomByW%^{Ns}FOuLXIYrh6Hal?L8qwAB?KCG9z|c5-R= zpUZC5vp5;FW9;;&!y3}|nvDmT{j&Yb!aR;=eb^@3pPpvY?lc#TTq#4g&WSW>pv_4t zhk3Sw5O1!Y3locHT4>D#{h>?~DWvQ|x4fsGUz-i4Ho4uUcJa1&#c!%J<#?^(sv}Q7 zEW)HWiR5bxh8a-T^~P`d;KiGD|AuQZ+ENUaHszQ%?sDs~()#jU-m5-~>%}l#ce-mC}-Xfb7cVWiYROc;u{#>RvWw_?|(%IU_YE9ALd^@#vd@$DsXF6gL^}u%ia$pOU z0CU|*M}@A%9;5E6qr%Sj+HdAxJceO8&`VdtOw0;#^OE&EOa-&D+ih=*_aLCq2WJM2 zI%>fRlwIkXm8@AMfThC z(`|0^8ZG7~2w{=7{i(x5X~gupDTnXt`F?HT1}cjG=w^Pk<0PddWajR~=BB&D6T{`g z`|0s&0;oFO%e^N_fNA{O_2qf0qol^$6*%H`kM5>0Xe5Pg=H~I^BZckzgFNW(RZq^& z_v_TdLk!y5UW$<Ghd33LV_f;Ll$VdmlcZ_&#tud~Oe~&uzKU1!jL`0&%q2+|oiXnfxQCQ{#EDZZ0@AAEjw z@9xy>;+0TA_CbX(_yf9y;2Bx~m!@lb5hMXi`TWM2+|oF2>?ZY7YnW^+g4gnt|+ z_VdQ&w~BqX%6RmWzEIV~aDKfV$jbJ7dVIY5HBDMu4axp_fcJUtbMI9$KKz591vOyJerAa{1t-r34{dv&fpyg@l zFgSaW^*Qj=@2`4i7Y%FiLIfQLlL#usYAS#SAD2a9*3_K3{6P z?yzmr20N?wa$LMHw2NsUIjN|MOzCnNcsMn@t2eV;q}uAF zIgHg(W{|6SleDkIh-|3-u19*n_5Xbh`34JhL6rY*x8E7)S^uXUW?4EZGY7|ieq@}i z^o{JztWD^I%^VE==RIi#28RDc5i+wkur&I2632fcDcU*d+5bC z^ZzM@nfd>C6z2aiiUvL-+rJ*ve|Ir4FyS*ZvHaZG@tGOu@mbj!@tK%8@L5>c@mbhd zeuNpHg`EwbmHx*@|I^RF{7;*Sp5x#Au>DiqtQ?I0Xskaa$i~8q&&I}z&&a{_kBxyP7~I|Ivq-PwP_ zrf0`zWn{%?;rJPdnFXJbi249x88?En6~smTMvQDenv z*9-3zKm{Hjm3H^O56%~gw-snp0DhP9dY_O#pV&7-{C6UGTs_TNc!fLlh8}jz#^K?j z%y86Iq@wKkdxAao$h5@fg7LY#z6mMMLPA=h#5A*Y=3t#H)AM2zk?pm|H&CGR#u+qj zn9sMz%a+T_$94iZFo6A?Bvk*alGee!myQ+yKEh=bO=e^cEr((wNUjI^2Q*Ym4obZV zGcAAy^hicbmNxHO>dqsj@81ak(2M)^Hv_t_&nQvsZ*Kmx6P4ush~r9~Z$vwv$ezC_ zm$P5LKVHNq{BNd{5=>^cdaPejyL)`0Kfl)B1wX~YzPkeoD*#%#WQS+6mK%>y_Fbv= zp-T42Qmj9oc;VvTA$^UnAK#DHw!i?)nt*Wly6PO=i@uZS09E5~JyA+6f!)0yukadi zrY=0;9@E(<_Ti*=D&({I-b=RH2D#Q3(r@-FaM|T}*<}rOtOT>Ox3V_AEUwH%DXxUh zP2tW02}b=HGe`QUxqsyhbz26Y?0}oLdJ_V|VQiv`HE~pOk0I2;^A+W75tYc6@GyDm zLi^(@9a3?dUf!ky+;VUZ-)%N1DHJ}?Vv{OgzVWW^B6+r+T*#uQ8IhGl~?gTq{^*Aj~@UHuy{5rY} zmE^lAlYJ^^0}hFuc6w+#kbAIm&1Wor?f5X~JRDgZsEO0#Q(bt)`xbxajC5Yej#6~= zhHBHCUP5@Wd9(e7Xdly~w{60=-I5FTHaZB-3yKf|H(-w80^I`tkN}vDWo4J~tWDl8 zf|A(@XLWOY8PJH<2_7XoO6i1r7zBODaop~C5&{Lh7`@&UGpMJo?9+krMtWZC2YaOk zB6>#8{YA;J_rj0fa086ZkCPn&Rp@6ick1HeXFT#d5{7ddj;I!Izt(Pvec5-bXY-5B zjB322ZqTzosv@cG?QsDTFq03kWIo8(hZOV`hTsu(mRT6Fn~D%Ki_tv(##O*k~rz-zn%( z-yjgX?Q7dn_#^`A=WG0)J=IYvBnedgkxoXkFxa`hB$oJES2cq=L2~Mh0YPfi^<(P2 z*=9+k!=~$C=O%R z4CYK1qu1jd`k@#vV@Bzv;&5KA@scOVl~}QT`oN)(4?u8_3+9Ggl}NKqm6Gr&sq?w@ z$Z2&kX+{B0umJ(5p_LYH0ua#*lDR4Fj2^skR>)3XF< zM5I%DYgp5FTa=E|(B)jD6NwG%6*9VEkFI)oK_!9MhyD+8K;T)y`nc|^5jLWR6bJ~6 zGzH+rzF*bU8T|};RHUP%N*OBCDZwQ~8|y>crHa#9h%;_R4b0pa7}*M(SFo3C4c-xr zFmHQlqt4#E>GZhq(zuxRr|NlE-0wz%bZM)zsF*9lh8g8>M=(}-L3U~eQ9^@e606mb z3l!*Mjb!2R(D>g#s~$~t*82Tc01ctB(=TpJ`>O9(Q{OhETYN6pJGlXUu zLODb8&B?r1^Q^KtB=gPDyply$JYLBX8yJsjv{okbC1QvP!Ld#ZN^Rte$zMkt$EOph@)=V84yxNU+sicD9l>CVB=)?Iw<6LUg1B&DbM@vnCJO; zCi-^TfOu3eLzx)ETk&J86!PdksqV`WVqenF@x?Pa8O%tu?>9Xod zL4&g~RG{0Sm<9Kc1ZVx;No{;;7FZF}lC>^fI}U52^Iwbmy_Q& z%)D|HIe3CoO&J-71xpW6*9R_IfY>s)K2g`8$&pP&EZvflkoZdmRV+C!g2Uq z)^rmgnKbs`r@Um-DjixN5t1`?wV+9(b4Ru+y|qU*=9W!Pt2wjdKwC>XLh_;WOcm;7 z(jn{&>b|J?v#bJD!0Ym!U1+(sl9>V}x*&>bQtgNpglKD< z^0PtWO^3uceLN9r!>0djC~?c4L85sb+!D>B0f>ybg;YK)O$;GB?G?Zy5xpNkUT_oq zp7N*c2N8l~|56No6yhJH(%B_VpiPFV#h=UuNO3!B z19st|HXJgSqSEcY?bS#JNO6-)75;Ee1mC}{XCH32!FGFDFk{Tv~Y>sApQVeDDXvkbO0&df!GyAUK@YtY$-;A;A~r zcI{fDqohS39&sc63Goihyjt zJG3M^v?p7^g|R$!^*A~B`BGpw^-JCSF16#Ea)$OdJ<@a*1#E7jWM2g=t!71U7~4|V zac2$|HYGc5?CBhew_IFC@S$LDSmVT4oHg;`D&>F)l@8q6VcKt*zXWb|+(QGP1FB}t zo2&rr5P8HNCpi1>gagtwK&v7Qk4zhq3CJ=GjSmfJg@Q9u?U|$|k_Poho3QEQHR%tJ zFq7lFyE*85Fed*DY35C7wnko{Age(s=a!}?CZZ%!3t=R#Py9~l(-s=E?`YK&81ExU zZCc5pc)fds9&_n)kniZGOA{H zWpi;=PDkY;iF?}I#OY7b#vf|b2o&*#%Em!$B~@J}^{CYTd+BvOKlj@uJB70UOIEW5yWoUFX?AubK5 zbJFQdx8upQuy!M{EFhm-dUK(Q?$G9?0vw*ca;f~IQE=JDRLRELU)Uz-OS;FSLe*O*^4d_Jj0(s5 z;us=J<`S97T#Uw|1R{$DVIk~Njv8Xl(T5=lhUMiOz4FT zO1PNtDIxc|5c%>c`|Oy(=l9&VqzR}eZE`Epq}2onkj_qfmmvy_my8&Jx@N|~*$er5 zqO(E#d4Zx0srOOp=GCNvwpK_4iGcY;?Yi`L0{cLQBzgokT4{%rYY#reXWmh7LTaMa?RM2u`GSR4}WcG3DIwur|lGuJVJ zN}wBFXYL3CHrS1Dv>KY}>bSAPUGyQDVq&cbUid}Im>3s?4T{I_o?QmqqG&(QZQ!8N zJS$#Mp-gHOhZ+P@&b$5I*kgXzeOz}QFk-D?p>y4K<66|XzK>JR+v<7jxUt@S*?c@K zQm6Rng0fyBs*x}K5S6W7x3D&=u7sV{>k=f3bUr$9U&W&;4it-Rgy3gJD9a?;K;^_v z_>NtQfZ)7y{CgYL9!pEhoO)1|*9*1k96Z@h7^c&4u2Q#-on{O<+`GaMkq^l1yt0!W z-ZJe*^a2EoR_6G!!zGmpV z*rYdez9>;LtoI8S5Z(9FE}cjBM~+AAW=pH~GuN0%^=H~W9sKo{%a|-X5^?|*seeIG zYYjQS2^&H-71a?7r*=d%Kxg!Uiu}}iE3Tq9V1gcVz^UU{p=Aru>Xvg#0X78+hgLoZ zk~AP|g~VeWcGWwm(+s3nQ4a;)0+SQcV?1en9cpb&(@;ZGK{ol2q&d3hqIEbYc>fQRb<)}z%gXQfOa60G-(4D&=qX?gmNoY6?4o7MaAEW zg>fHMDBxwmEvO?u{x?CFBS)_kcDnpNnZfKQ6G0=vLwnU89N28MYM#7NvbV9II)J z&&6&pG|-AnmLfro&H{t(DS73C^5W(ip{});N8@?=E_o}4p}P5s_4IR^KfVi3$v3Fd zN;br1r^qR!*O*;)&-`!tE;H&bFY2-{`fognPELwb(o!Cqk}B`Xo>@R>qN3M=M+hHD zQK;n%J{Fw~4&5kjNwF$`Ps+Y5`BbaXb%l8xkW47nfhmfYD3J=!38=Kxz~t0))Kql` z+*sDw7gtjr0tmRGBQm4ndYMG8shEDh`p}n zi+Ud&S68SZSY7H84mJ>{4n3@Zu0F7vnlVEVZ#R;};9NEvalaaC*s;7#*SKk5eIAzPt zdKuR~L^c$DihDUWS+Fk{8cK9&Z)p|D%@oDVPUkH6Mb=aR5}{ zxjT*-(bj~_75p9c!WPE1!~4u1PRkwcm~f9(li&k;G*VmAzTTC8=K#w6G0jVd?6BxO zV9zid5e51SZ)Wy_ncD_)X@59YJyrzLMxUW@KpuL_e^ED)hDdOZw+>r?$w0-b!fYstFkD`I!;sX{opS%{Hxy4yf zVb|QZ)XHnl*~=}TMf^E$S_KDAD<)O-c8|Z^R{7RScjpl8fhsj3O%XCkhg)RNt zf_*E=Q$oW{|7`4gLrs-ecb8Rnmsj>LNIr*D9njdE3-daPF4UVOy>fh}w^8*>rOBH= z5lA<-8 z=f$33Irg8J^T@T`6XFZf7ao3B>0OR}O&(@!t(mwg=5$ty&bLWtP1uMMio7cqPRH}imMCQ)%dJoHLW*GLFUKb|*>fddMPB<>#i6;#S0 zBbz`WWg(F)9_S}CQRC^ zcmh7YocFK-1-f*q3`li)m;^eWx5HT~IykSp2%(*~47|UwhMI0yO;lkoX_Fm9twQ^8 zE{jgipdr);@?aGqf}BUeB9k!Ex|1!TlQ2n0T9OgL5`G!^2qxNTstQ>u&oN#*-n^eO zd!gSPijvv_@~IQjj&VKh_X;LZ^7=hk4s&7Ocqgt`TR=cAvNH8Iy`4LJvOwr;p&TLE zs@mS4vw0&aDLL$m9QHexmtF${FEf*yeEp6Vy*Dna7*ZT`^N5`B-aGonP2xIh{zs>4 z9+Ej`u=aIn!BbQT;a0XaLVrPyDDqnX*3=q%a~J9_$_~fSTk^z~4ov(S;z`3$RTxF~ z7|1B%wQp)Ufqx0*op+xvAT@122xUE35iQijP6<0*#QY*luMoO+QmJiuv(s-wLbQ>I$%*mFd;|>9(aKRNu{5ds9F=}<0vDoBvP7|%Y$iCV_nQ=z8_V4C z-DJk$^q^OGmip|CWotA*Rv#-Cs%Apmu~vUnX^OLw#HPG6fk#w4FnLX{xkFcc>er+x z%U8C>-$#EX#jbf}zVoEvbFyHphS7j99IsRU6$O)BL-LZYvg+nBru`()3U$b_xoS8} z&pQ4Yd#(i$aJNDiYUk2mxmv6i0nBNw(4n{jFxuIB%&YV5D9Lw*rb6J{!uG;(HNS)i zkrkFA2B)+B{-bluvXZ`s-n#1Qrr9mDJ6k97VGiyM=RqA$#zV{m^O19RH2WxrfI|$Q zPOjSdr+I@3ov14t>~v4t<^2m8%}T7QGOTjkt8i)x_vwKeAKg18Tq%bv7(D%Ljfav5_%t6h=ZF}sRB%H5K_ zj<2Sm5zG9c0je7DuH2PQrM03r|p$fTcMIPIAp1NBLR;vxJvQejUm zUQ%1wY2LIgNzpd`J0MD_#A0-Y>JUh?1K@UWcL+%ckcKfbTcYjvUQ$&uk12>0aN~1L z@rzi%8wUpf2M9;AClQkWa=|AvK`ZmC_aFR-cjB0&)H1{4_(99xqOdYVIy(k0A8w8& z5+qVuSS74J>gg}gvWtg#9K<1mjFjU|SQ_l#66Iun$ zJ67AAv$D$b9j{rQ$;3t?(w^apfJ9>B*my+}0`LrE~ycO^3D|#dRLH`8y7KCOqTfnQ> zlGZl40-AOmP_Aj_xXxDcczQ3Mt4CGXKwEs~wy@FKXnb4WrP)AYv%Gl#Z1U2!ve_;@ zQ+LwQyE18SdEERnl?!*iQoB{qoMQrB)@&c}Y_+_tq;Bj{zBRo*?Q{jE7Hh7sTo<$S zm+<1rQs}wtlB|AbDs74*<-z*e^15wv#NJ0FBkwhR*;N{=%`5`F+56_%XrQ9SeDVb{ zjO&R_6@?lz5q;Xf7Sf@2z#r10mN>G!7B$jQa!41~Me{^SHRKBcWxBWPk_2U17&`*e zM2LaAxSvBcjp|f~*p%t63Qb#1uO07i7Ni6E6$xb}AYYlho)so6+z@ebKPSAnTo6-k z+-6ySTI=}0%Q4+6DjJRXu^+}iE?*#lO^1eHlpNzm{+Xb-)QHh7I? zr8T5t1(~c(bxye!hsX1yv4_^y{rOtb#<2z3vg|UATwp>5q~O-+{94r0!i7ae229h_ z6AaFy>>TGaXBSc8=XOW$wn+*rtICQjgys0o|)IwQR3;ByWTsZ3 z#ld_F)xkwcvdp~vIFPz+))&kOXk|a+`Z=}vh1sW7pt~smpWp*KCH^+#z?!ftWDc3# zGU+rANR#OmNoGqQdDTFAI7@tfE8a-T9xHa956rwT(>cZyY^tB$uYp8);Aerqa_rV$Uv%I^BU6ym{fb++nhn2O< zgtE3K_U7oDF^-J$N+WEZh_04A?|62nS1I!|;sYmHNhh{MxdPy&Ym#@DM7B@*@9!Q= zIl$gQpcj9B<{_^@5MnDRzQ?6B_fFTH;jm>LvhY_Hfq4tFxm0eRR5frS%ph zs}=fIyo!lU2D#B9Q(nP!eJS~Uhv9*O@w%aClB_VJ>~o3-$jJwa&)u5tzFS#b(TJVn zLfGxf+0@>Tnf;2-FN@+!>i#_W))YksVD>~e|Il!vJe`gHcFzQ`Y_s=8=4)s`@0#}) z$fr$i{i8;Aw$qR2*6Ls-J@I1a+tq;d!Qo0My{BIT2t2pbHgmWRK{%VYg`wfj=t?Ma zJ{b*44(=kzj@%a$o2-}G6MQ?$D~Lq7(;ydN|I%z$Alp_1-)cCCiVG4Il@POC+CI3d z5pM7V5gxE^y6`sFu6ISm_ho@efUHwIo-m7T51h$hCMNgS^)1OKM8kA{1U<;W6pKc&Sh&+v##q)xz}DAxy9=?Uj-8;P5R41=Hwu0wUu@8*xe;_X1T zz1fZV?x5@-zMyih{VEJi7yl7EJb#WpfGDo_UmMqAeJ&-Bs(6V|F9M3zmWao@Z15v9 zn_2U#VHIwOZc^La+U#u{GgsQg2GKnw%?o-vKqoSu$-ovrST`T8cTw_LC84$InQ?+| z(sv)9hfJ4y#A*RL4Zw(5K&O82Meu}O_+kR;OkY3&AXYsTcX(?9A=_}L0Z6ER1?y>E z_B)$2CbqvKsVKO^lL2%v;nb3-^I3*94+tq<+7i{-A}RDBa{QLjV5)GCJY)7e;k>xuW?azQ}#ph@+D z4~lk?GXtPBZvTR8%e8%gc~kiEP2F{*-hCd>#X-UKJmuQF95?|ZetLsO_i5E8A7u7@ z>yz9%4DXuU0=?$k3cVtHqHBx2^ZEJs=k(LbHS3cDBCXDDsOJF*&H@c&c2KN>g~YXd z>;bld$MkpXQn=D_!_4%K?5erq8n%Mw1kDWO45aK)-LCjjWkU1H2Ln9}NXSR_K$0xj zsrB6Kc5YtBV#P;{3{im{8}((m)4<*9nn`dT+j1I-kHaSfR}P|3m1n@K~Ofc9%vxu=x4=zB~%TQ?N>Q+11FxGW$5esxCEr7d}Pg4N9?o z+2Ph4h$mt4}lliXCQmAOb+OYjHs3xQSp;e~ zcF0(5W+^HiK4k@FB%hFn*bWEs<1xy0K(fAiEDX+IALR~mx@kM#p&+>U1g!+SEbXu} z(UDYyquvHLheMo>l4`2HkL+ZmQ)O zq#QL3Hd2^Bwwe^;_&)qebFT|a53v5g9I45)9i-O=PMLUKf9I$mw1^IJNR2oJBc%!} z`zU_>DL-k0X1-a`Vl1P`9Zm2AEjCEB^jtG6<(-{hH42)aF}jJJ__QGsr(Kzi7JTs0 z(V|>~=CP2He4?ZQk}v>ZW2~mA3zMtL@RgCUpphm8;khn^Npe)3$lZ88IhMTDRQ(v* z4qs2T7Vhu%!+n%9KjXE_2-%sD7m6%cvgZu9o}m`l;#I#lrvwP;)bMdpx*+U!Wyh|> z?(thmW7fu?VIGzqnR6kx0+rc*b}O|6#eO}t)jaMJ0`#%P1Yrr$xNrH(E$d2+R9l>0 z>b!1!#z!5aNIMHPuUgpt+rMsW#3Dm_ZNOVK=w#Z$Dvi1`g!i{=_x7No^g_&-B+{y} z2%gQ>V-Mpu_nhZ)Hmu0Y=T^yA-AQ@?U zvrWS-*ZXxY>%h;k>bu zT`h>IhF)rMNx)l_IY>uHaW$NYG1Z9UVk&4q!uBI@<6-EK0GJ6dje-nCtWXk&TaWe#0g zY7)!v=RhE>8VcYtg3alNHv{&Dy~7ZS==lZTl(0buWPgwCOJI;zooglxH0l4*E1f!>*qi zA@%o6o;j!gH%)n{3@oMI>np=O@;g!Y(=ScOdLeJw6x=VLqak9XqdIK}#U)f9JJLVA zVhn&T9u4Xk10A?EiV9EpzY`Su*vos%19_53(D#gcu=~k#T19-Y#~32iV2QZT5;|_{ zLmJs5&r!u}L8i^A_J~4~U+`O3Tu?52fQ#XEfu%mG8Mm1N0B+XA*bBff$*_OH!ovbK z1Pb+L-e4a0qYFNOGr*E~t)$Moz!MbR!0$2m!y@5^M8p3GB5nw(>9ig&s+r6$1!gk9 z5mT98$>1i?en$NSx@w`Yg&aCU;90w#2#)a&BC}eVbpF@JKT7zILU|IAyYOR} z&W-kP0Og*zIRy8AA>YOKKM_Csqz!jDv8(!Hw~QQXdws+%HPi+N_HtCZJ#+IK3Wgjj zswu}W=mURN3JynsPoSy9FX)PH_u=sP*LTP6Q4BeD7Vi(gU{4^?pTH61Sa@8OpMJ1? z*uzt;V;AhN9SZ!s9z{TiF9_^1Lhdr(KwA+&h&`?DilENHq^IZ#bpfWx4l=2Lu~L<3 zjX0L-GO+pxCnlP@R*cVk=;Y)}p4Lr@w1-Ph^n8^o=ydQ_<-`$4SIqgS>bnx{K z_`T256MjFPf~eQo_6Qz^D1nbb?kzgFDz@3L3b$NGfaRWxr^TnXPBA|-B3bII8Q$EL zCPW@8GxsDb&E%$=;UTxvbZa#@A)$_&zeub4@C6Psd+oUcJg?q+@534WXdnl}8CVdT zS$J#U^>7y0>;e?3dB2EF2eTZ}9`|_PeZ;mg4P{WlG}@NTxxglepnowHK1t0oz?jp* zsIyU#&!ZORmBt>Opd6JD%nU>hxeYt=G$bNx9FL=4&q+o|&WrCD(y|owZOTz3ZcHAT zWzJ~pHRbq*iz@$7luruAEOlN~D(RaWEL0CktTt%cMYhN?<19ou;YZf$ zC{H|(HI{ZtD#+iorfNvmgJi;JDq2?{>XsU2tm$5_aKOw0wV0(;3&2qjs~zaA0R?X8 zS`<@p_vgV;Qytm^>hFVn-ka2^@AkosNJJLP_hwrBT05HDym5lD4N+d*M0=Xb>&y)asBql^CAT@KkbXO(~42W zU*Qd7Wx>zoP6YENMO7<-v!G8q*AD?77|(+_iCsh;my)6qtKz$#bOw{8-LimRho5lH zf|*C-VD<_CHS2N2=XsfC5{PCa^_`kE=?TxHk8;Kr{y1S<%y}B&c*1})?RyNCr94|C zP(a|pKZXmmV7~V2whcRpw4kB6ep>$Lbx=8#(o;V>Z_~oLdCgKeV!OBJDL$boh;yAM z-jKz_@6R$)ww0OH6^b1 zw+qvX7#Eiq(`RKVQrCM|zf&ow&!C2yysB@zZo()+;pw6UoVifKJY&>wdEP;>dFg#C z52sL&%Eg^yV~AiMYsS{@ow$>G*OGn%$cCUESN)hfZ+GkK9T8DXv$Lym{{h^{0bERo z3O7zwOf+)QUqijUgECu<(z%|KyVpYl2p@yeCZsDt_YcVPDgd5Mq&U{4LL>j!p90Gp zQZl8fcNfMfBU>$|6czL@gkKD`dx}z|qo(e(J&$68)r=mY!+Wj0-T!2gl*CKJ!)a@E zxe+2_>z*+xd4t{e41y1xwWuJWHZbNxQ}(96n}FCGf>;&h!^0%XruKSdqA3|aOMw*T#Jdk;d_ym>Ossc& zp%iA)Q3$1E<{Njbj%nqO;88zRBZKDwL>pCD9it*Le}&j@xt$X}z83cXLTID9AgoWb zVaO3gt0vNdNhLDUJPU7+GWw;`Ag?Y>Y??SOgtdR3%c>A$icISd5D}ZD4aQj@A91ir zE;$?8H=mHo-?jPrqK3f?N*jP)Ha)`xuC6pm+>TA2C`W->P$ngL4$c_tfQ3N>std%5 z7zWea7n>BB;PpM+sJpweW9Z}%bQNtt6eH6h{-bV3_lpn6ZI)oh=Ap9%}QI zH0!T|W@nI{JY>^u1ap4bqHiyBwH`WxYJZ(DMtONna3~3GS6?>?EppE#TC1Y* zfe=h&!3-@euZQF3URYSjNYbg?0O8YJP!OL)6bWudBwx1}1e`afbiJ0~S~xvxI^okO zNP9x?-tYWB0m65rnp{#t%ZL?oMCS~@8_s|Z1}KdbL+p~)#Fq8zn&N7RRsZ@qz5}Rt zI~eKe7Cq3grlMp1HtgCVpHClKC;J*N-Zt#%oP(6e_}6) zldXX&M}kV}A9>f7@;;71%Jh?ZapL9pxSi7;u-SHxV7lW?*9pV>9`1nzY!o0mDz@+N zUBg%)A0JaVbxO^cjcGnC7B#hH>mX-aJ0IXinX7#A-aF2sc@s-nR0l(rKdmmuQS$@}B_o{JKQ9V3Awvlu?O>y&r?6j;m1kT*O?@Yn*k=Ssy+ z#PUlK$hN{&xmHy(+45ZEyQ!2BQJkXX@7B1~}+g*2HAst1{um)G1chLKAZ zP0*x0$P?){U>3nLYh|S~ULun?xeIxbn?eS0fs2~J)PLMWb14gcTtnhPkim+Q7TMWM z-B((b8QPbd?6{WbcCsbCRha2q^tok`ftKAu`RSN?Y76p^x!ahlE&Z{#jbjTLF^)@qsEFdmc`}dE!ERFDQlVcMn7c&?5FgDTD*xVj4QaF1@Js+$YteW7}6+qxk5 zsJbB7u)4_8(Zt5tnKG$N8;edUXT)8%Vg@1CH~yK(xW3*D8_Y_ecX@r^km~>vWZRfLjEgj6N_M)- zbdT(Z&48d~{6lTg8nLNvwQ1k~gf&q1T)h_&HYjAuZro#MS26{Bo0l!zn1<4TpuCYf z!Td|76nN9J$iZ^`B^F(cu3-(p@(=6gq?|E}+vZ@UWZg1pgEHA&2^)KyRixjo=3!i)!p6EFK2ceXTr;JOQ$zc+-;;D_WR8QkLWr$-1JoT!dK+4tJ%_9 zHr;@LIDduWl_Z8)DAO_4MK6@<HX06kIoAULGDySeCYjib&^@+z6xhHJ|7xXIb`vH<4?~ zMIEGTYYTawCV1a(M2d0>q{sG8ZomXr)*gMqfzE0)nfdY@#$8lp2+eA#2V?K4J$Xi9 zUI;Af;r}Y!k%tQLk4@iGo7-IYCft?{k+&p_CBr-=ARMmG+5=L)N*r#!IhW<5$}}4Z z+5$<~obwAVmd*tdr?h6%_6@}iMVjlJ&7FA$TW7~dOCK>w#)iurYdD#YuZ6y6vmX5q z4#!!f$CHHa$5@%iA95x5!(ONo*f+BSeef9m6-j6JV|C zX|`>plbN9d|Lb8Jht?H`R-=x6{Xojrbniz3h`+BWbqe?#C_8m=2j>cIpk1OROxJVz z1YIN|c^(F2d8Y^>vlmwy4Ad#VJRqzRFw1&zh%U5 zttZtrl6GJhT^g85`)@e!lLN#r_gfr@E^u1otUcw(=fJ#usS zm|25wz|L?oVdgVxLPZW*G1^CW;9^Gl#RgPwWG_{? z*SYWe-g|egs@xGfBO@X+qN?_)jP*;7F`@B`0&50B zYxY+aT^Ny{p1Lzt1UWL5O*(?SJTq9=nsM?OqP_0{vFm%QF4ouFJI-!NGA5>=mS#8CcKXYEf1q@{5jBh!pt|88ZN*r)5bQND@Jw&}|Eh<}(pAe1pjZID zfQqJ22Gxz3l+lRY?5sY5wvV0Swd)aGB)~R@3KAz~S%a0{L61>?KdooyXJAwTHz-CYnBOTzH`^56_>VJ;KTkVC zVyKM_3*w-!pTC3Nw=oBlo$+6pX@%JFkRyvRM$l)yn|!C*V}WJ`kPfh0`&cohiy3jV zCJ<3&AlNdD6jQc%o-QO6b1=Pbv3)oabkE)>klFIH;J)!Ii1FrdNJEaia9w9f%C&SXmQq<@ zJ|C>mJC($JEhmgSEKb!0shge}bhY%$cRPxm5&3o$TzpNZQ@h0RL&vrgn5E=3A#sfh>-lh3< zzTp);RntNmgjNK0gwq^`blji2y}F?V)ZtdC7@sZn*sXKj;bJ5}fOawpvelTici#aX(A zzU*?~hEv{JUM`su%?};qj*a^+nc>W?`wQB*S0C)LjaD;{*+65u(IXEHW@fNzIJWFn zps9E&qvjR7qQep{>!F7wE03S&8Q+o31f^319{QzK@OQQl_Kj^w;1Q}X8{7Aw)2Mzp zTl+M=mqoGduGc~Y$syKV7m|?&@Ah1wv@&lXNSp{QPATS_wk$5Kg$r|CgjP8tnpIkI zgKP_6k?6&!Nnk|U#4Q-*zgfTsow0^t%)yGV7AhX1WXQe%3)iZbV;&P{(Gv3cOtRWq zb5+qbX4@)^`6ta$7-`5O^2c?J8dL5|&Ak|`^%vHHdTSZ2RO_t1He{M8aA4A_?{;qQ z^++fAb18@+9eCf2Du-x{8If2UrbRC!VVPAJUvOBS%#2hVPRp0zutM`0eP4>c z8?UP;xp6R$1YEDMc4okzWR(5|W`VCd@+Q^G{rq6qod#LEQ_5((pLtalm0}m!TCI!M zzS!!-1G8#YS^GJhGi2ENcq_J2vRZy+S87<~$)^iNXP3SLU!(5>$vko>N_`L207jda zC4rgqt&KzEh9o0{l)>p>!LSyia9%WI^*241=kN7?9%;`>QKsWS#_agmJEP2lZjJ83f?2!kT(vqEazdnGtkfH$F4P1N zJ+@(}s~nTc{^L!_u!gIVeXoFB`DFC7h-}UzK6W+FMw|9K z7u44he{fDmuekWK?$B%1B!~IR`o%Y3uZa}Q2)C~D*ZRaQ4^lvmL7D?|lVCu3aKqpWkfm%Q1#4fegtF)x%2v_GRjN->`ZK;ni5-4z zg-wYa|L8pr3SF=RfKm&j0mi^&N{8Kr(aS*EQ^3-~3^r_pHna};NG2QoF-wcb<72|? zGpwnp;iv=H@9t+4@+00YU6wj5HDdp%8z^C|iP8B+T7!v97Wek4jhWebo{!V{>Tk?<`z>(-o9qH*1|-A|BYDCKy8`lA%>Y#)2p(hbq9R^`jBvzU@pe}4mEN*H zFh4z)vUqR90$Q4Rb_aJo?y2#;^kNRe?XXDdqw;A|fXuL|*bZ_`jbpM8)oIvSLLcRW z!|~%R7lH_O=(7&MJQUk?E4GehuA_==_%TJe9I@jM`n4K0tN+&QzcxAU**%6|xO#@t z2|H!vl_ca2nm$=2)=6==p_RqgIW)fjOa4$Se-8(BFIPUp}yWjo|nr_m5v3e>`Dj`_j%p|A%B@`Aaf`o{wfdX}%= zzwBSv{@VHL1!w>1LN0FmcI-8rJI9+fQf~TfQ9wXT-X`^yuWZ#z5rTS|3O`0WcW)nF*5&|%AYs= zUxh4x6f!gY>0pubek2PfbQuO~Wc={9J|66sKUHZ5)gx@UVsQ#u}Gq|lK2@`d_e5TNr zcRf01YA@LHC*QT^%bYgX4dfj*_`0G0Y=WUy{}`Hn@6QBI)tydh4^?ZfjMB#5zvW?A z0p?gUm)~f^*x0$-=y&8#RGmk&N!dMh+)rLvhHWzAkd(@;`gX|!bfh}dFa^+mFL2Cy zt;zJiaqu>W%B6g~VGo0aNHU|X&IFd16>6Af7ik0?e0-IMJ&fBr^KplFRG+s0Qy#V{ zw3?)T^G|sgS!WGJaB7*SHvssn4cY(ycMluG|7f*X>HibY=g)`ze=850ZAuDBap7CIfpEGCpWR}4 z(^9xv7hqhTa-O-Bi)xEC{_p0sCGfKXDw=KDQw=HOPlsQ>K#z}JR&6|FFE~Cwb3WfL z9WJ_n`2qCsoPm@oFKbm+@joK~eOu$&f399$rFeB%0+FE;Sv5G26DM`Ldc)JYV(_E5 zzk9u_E_RL(aR)yFdu_$(gmSo%^}dNA`pj0bYhAJ&tL9e1U+J8R3ib!Q8Ie=LUvss;`o~jB)dy(lh0VPU=s=~0p zB-M#s^gt5aQu|VDT|x(cbKB{6%YFOs-P?A&dUXP*Lj~|eD6RSSIGKNTS+SNZ_nJqz z&i}mQVUeB3+F$cYFOL!?Rn6RK5h}u*d_4~>CiMG2;y0T#-phi4tBbqw=?iB;X5e8j zLnbh?nm&=B4;p^x7=jL=A%VX@rak(3ZUOrvMkZPg&`6NNhYp<=>%nK$kK3c%=kZEpt)1s` ztLJ+3PY}z`&*ohu^pbPmA3G=fjMqzjzhQyV&k@6+_t2N+?aXdYIaY@0XfGRTEV`ix ze?1yeMepmbO4G zc}gW+k3yQk=1A!2kzkp!zyzZ+qL=4OcpaKL*(zu*_SXezA{(BC zWg<4Jp&Mo-wjpAqh`4mZ`#!N1i9SHek`~jHA0b|q0@Go!F^iCOK540^cf&wYv(>S= z^%!Hu`JoY|nd2A_m)3q*0Gxf>m3YiX$6#xF{$t- z#%s}HTfP&tfMARth8Am=2Bhiw8~hMvh2K`L*6G`O~ru z5e!S@BwrnWKsJeY<4_4EWg=|o0U+9$RFAN7#NqaO*-w5bX`atzK~ahEtiMa}P~;ry3|1{EQm|0Dyv#$ou?2hb7hNkk z4u_;_oxX9Jaj}LXC%P^Jc#fgY26+q^G^m#3(XUzg{Y;LH9oT)w)eij)(FbSC3r_2P zwvMhW?GTQB7H77Vkz3p9v(`W{vI6^grSR`40cif99;r;VWtID`!j}dOKt%K#n54a? z!4z14CaDo~Qjx)`9FZ=hi)0Q#D^RUKS8+-Q>%%Yil{JQ4Ne`L#wJc<06Y6k$;vw|| zt3&Jus|MQ>6J^v=V`VgjuIW}mE$l~8BaHT2gRgS>%2Qiw<(b&m&3in7?1xmImFy#` z$7he5zdJX+w`1g_xIjogW=tZ%JRzg-`XwtR zb?bY{*8qV73C}*s>rrWklfeEi7XZ1%C= zt3fI3@qY&ZwIbpLniDeFqb&7%1cQhNahDSE&ImwxJ8a78gpB8b8ddhH&S?_*zJnF| zNG0#X01{~htz8Cs>~cJzKN0=N6^73I=6+*$Ffs#yYdRpq4(Ee_J-DvN>k0kmsb!b! z3V%=#kJM-H6NdxKjpHV#wH$*|pTg1)&vHBX^4m82P7X)frw%bwJ=2Zp!BH(h6~j12Lj zE>Pl6fSZ0bOYgQkzk}9iBRqBhU6HnkoCc+J2z`F-wP|la)=6)d+eC3NTxX1)j*68M z!A+Q+C)EOPm)3}BUix;}9=gacN32ZsgQ!cW#3mis&&hOuw5MwZb%p2cy);MkVva|$L|suqz;5%mBwiQChl~e4Fhe4pj?0PXi*wj8 zu%=L*tU6k2GvXG$u+Z=Km4`c8-Pvo`WT`>UEY!2&0IkJ15 z{o6`+uoZ}53ph_Z^u@@^>@g3lzAIS8o!i8vU{WOl;ww{x0?sa(reG_^^y{c#D z=X_$_^M~67@TBYpfU`^FnsC@7=M&)Fh4aIHaNr_^6aD=I&oMTnO{~_SIzWRQjd2%6 zl?I3GS&P9%@Dl`bK%y(U=9dKwWGK%>Pn5AU2GVFwZ(mQ)>yh+^=J^JZD`}^Y&T@^| z8R-*Q+!3eRcf4$=z<~U$Gg9c*ke_Q|*km7BJ#04sKX@vh8qOu&jiZ1Sgzle)e~a^S*Wd9=J5YJ2MHg%9FVq ztl^Qjz0q3;lgU0}G`#aq;1AAob#phXIMF(94_i~27i&6`LT-{%<&u}Y919l-`!(q4 zkl!ZjD@*cmP{N8h6+oO>sC)04->>PKJuJXU%>_p6-HpeDLb}YCq+u3536o%{nQ3R| zSyb!#(F|jx>t1$JFppd!E3`Q%*5pLYP}bgFZ_qt~POaYQD39u$dwN86cAy2@RhBEc ztXEZv-sUdp=H=B^lzn$yB&mS4T&D4u4&>(Qf#=J|N{ph~&2ySJOGGK2V zwS(4Akc@2+Wf7$rrL*58ii;5`jBmJbVkk^+>zRoVf!`N{wdzUD^6JbHO1{fic6I2R$SfO+`Ja9 zk8D$yxMjZ?(V{kY!XIC5R^aoprtwx$>02?X{Nv->w*-+}5vJX3-s5!FC7x@;N5YG^ zuncirAODSy<&wds1c9T${$tgi3+1~RsGg>znr0m{-1;p`RHTC-hPF12oBqg+4SP3z zeQR1WI_85hQa62xYU-cR(DsM62bv>uy_7|ol}q&3tCnUbKh4Ze%E%k&X;AwXlwfjM zCevw)k{ptm`%MZq@JNyfj#(oeZ45!3rAOXU<4<`6;W!R!k5xaL_o-=A+!k ziztsL(|*^|A{dvP2uxKx(CVT+^jGgclFl3-v#Cg>E?-GZS!?IOovwi&HLD+YH_|!v ze`7rx{25MlxDW;(v{SOIm7*A*)1wA;C6xE@c3T4p^X%xD-g)^}H5=}oupLb%&OjX? zu-;#j61z7C>S~&tJ3Qp6@|J%SPmRZ3_l-?f1_HT(hPP>qpR)X5#T-UKEA=>rW{t{A zEmodn@2rZZc|#+%uJc96AuI#bd^63#L<-qNre%&^V6&ac$z&?k+yYrWbgo=o8wCYT z*ahJICs+$`eh{dAH7yAT3r*4-LAywD@d>$=JgP=84zbpcHp6-CZ4YM;AtP^dgW)Oe zipg%P*ZIrl7TNC4jr~jA_lcT|*D0?qE}Mp5#y9Iwhc)L~bDWLEo<`O|47w zHV>XPR45n(xsjO7Z4Jg4JTV9|h6mQ=YY0h++NDllZ^vNcTO3T7IW9V4y^AfUU54EO znBvqW(NHs!q92eQ9HC9njmA)og{T#9%Z`yjC)80zPL7iqBRg|^Uw!sn6qJyZZmP7l zZUv;h#Hk}Gq8+6aAD@<*?iNyuO}7Kr_#PW@vsDW-jp{~GQDUT_bWdIBX5NtFVoxL+`HaHq##z#Bt&IyQ}AasDp3!P*?8rT_z7kI#Z zB=3YCaDa`zEsO-z{;M1cDFPWMb83Lwo(oHAh_hW67<7ZHusC|of*x+_V2)WWAk?7G z{0@dG0vYql=&GX=77jG+02?zqoI9+Ig)Mgv+b{b+_B8iDlKO_#d50BV_s21D*dlmi z`ma+MR)o)EbVqicA;^Zr4CA>Y_=1KAp-QImO=_FoVWte)^BEgVt`8>sZ!tb)z*3l= zRG_epS1nUX_^i=*WEy%L25as(Gs7L_P93S{IJbT20*T9J(XU>CqGLzc2%fuSA{GuH zICx{qw$75)c)Tv;gD^gTl+Ia-Z zme~;EGgmmcfd$Iu=W9TURE*TjAMd%q3Ks!IRtY(9y=6ytVI`sgQx5K7sQ^oeN)x|# zWq0@aB9T0@`{R`y;N#c^gB4^4dwNNXR)G}i%Z}1;$b~Ieu&*Z8sGhp);5g%z3{Zjc zcmc~Zc#ZiY@rU~$2%#wzvc?=Zask1aKx8$G&xsb^zW^!7K?ap_ISk4H3Y3UpLb%O* zH(Nnp=`)QcP~5(J%=b999wpnQq!=|26QU25$_Avs5VRKS9r8zNY!xE(iCX03=C(Xp zHZT*QP;n{Uwm65M_33PW0B;c)QX{{IuEtR56jxq}Klv@uC%}hQD%_+=++l;zg&hYr zyFcStJmYA>Zx=}aLMuCS=@gmBfc_2`lPq>h!1-Gh=sjBwV(31S-li+{0gw`!%pWOO z4%odcn2}SV8q?toFvnsBlQO|HZf}jT-BH+XYMig(8nQ0~&jLu|aO z7o6(0SqEXEAfvF0CpE7ZFrkmW*aL;qjKq;D*LMdZ^SD!RQD*0K1eDNgI}dkm)7v9- zsG&-YEA`<#R8It7?>F+hy^tda10H(8z3aY4-0R2d?6gZ?glOQMeqI3D4?OQopJYD2 zN4pQPxBZ#0v-j3|^rI|x30s6qnKz~4E6zmWq9A5kNUStVzB63$M|wC&3LPyQfzq&9 zTwM(X9*LX1mFPrXEnI(s0Tdk61Kj>Cr?^h6J4X<&3jr)`?SUttR$~ck5{(uZN(9RO zMZ88(_K9ythE4ok zYEkVdmRu|5=2;`1l=8BT*9V+L7^g2)gJ83C>!_q44G2nEFmvTtO(ud06uPFOIyS3DOwcE^ z7^39}HE^AJ@vRHY{uXJFG$b`^FI`A$&nWj7kd6-#p<;I_nJz~;&B$=u9r4m1Vx33_ zC7G&{j4+N!x_&I6rFtMdu%jO*M+>xasH~H^^={%c1$Af9F-lI3c%;4eihXxIHHynQ z=b9|f8lp_^K*RxW!U>_RE6JC4si$JaZKi7fHu}K7^G)Ki5#DIt)$}E^i=ERuxWg8<>VdJU{Ny{< zq9$wAksy4263fKi!H0=x--MPz-F^%#;>aj2Xs}qpIVasl1m5dsNG6+q-$rkfrarC_R zc&1fx{4|cJcWO%Rj_>=;EI!aTiiy<)=pqAENYMfTg)J~eGl%gPjmy$ zp{M`DfBpY;YQo=rM%I7!85zGerC90zx1A_9CW8OiiTdwn0I>bXQ3`*R{Ab_)?0f(Q zc6L_w|JqPsX8!+dC`@>`c`7N_`z*G#Bus6s3JH>Jn$^e3KyVQ<7YZRYhgt$6fqaMX zBVYtk2f-mY-9eJ;1(kR0FWoN(Z~Y@jALd_gZc%QWqmK9h zGyDR^UW*3WH+@AIxd{A>*94tR?ep4wr26d>EAIZ~3|&R_uye@+Q9cg#c@0!~{475} z&|Z!Y>f8$2JXy(%OG;VTW&9(lr%XdG;j<&mRM!n$erl{eC?ch?Wd6s(S-saLEQ?bI z{ID$9m}?~YlTo|}?326I=)4J|v1sd5TEGNxj@Ue@($6R1i!4OZ9Us=yqe+<`0ZJav z1aPkP=K=^Pp@^nZ^V2R1Px#Wwfo$`7NR)J=f^ABE;WhL%=6U$LQ9r&loDeGV!I<3- zYoJad%9AEQEcge~Lu&I$cSQy?c8XU4$gZl%4M;n;3w+jlHED&Vo{_S`0C$<3JdS25 zRC)*g8e0lI^zZqlwy9xiR|rSsayA8LQj9&u zSRQtBWcH3%WKKy#2wsuHs>D4#29K*Q!(Ad*M@e$B*WSDcmKpL@s^D5ldSpoMB~lwB z&6Urp5a&)U3h#2BGIJEVF$7MJrOuJZN>H1}JZ6r^5f(O&d%~SB>+m%w;!-F>yca8y z&LllBj<#Rs?zUeCe{}ZEHVU5h3Z!zcrO^+)T$!r=ikG&RTVCx9D3Uqi0$7F!p2Ljb zJ&t!*N~R=lMH<(uPuDQVMS*CE5t2(Yz}sHBsh521hiA;Y&!AOiuwApk;bN{Q!6dp7 zip;DdUZUfiStM#0k2p2>eWzT7Uc7(T@BU2MDfGdp&XkZV200t3UzVUo(evuNjBCfn zk=}g2#`{i!ZW*&D7I~u+j_RQd$CfN=Wy30>riTb8+T?c!MqBhB+=K2hR%5#O*}|G~ zH8@_rC+=JJhKXl_P)ZC^qEz?6mH6pQ+ap=!wVaUdJ46d|W`fk*6u_K(pE(s+Bd=88 z4^&n&Iu`jHsF0)5^Z-4CI-%k-sOAF_jLlbv?Q=XqzopK~w* zr+H5W^G-2&=}zZ^!ePrkB}l5@h$#j4X*-6i$e;hyS`FWxWsdplJFgtUk=} zBJkZD)|k7xun}k>meHMVi2>Ww0m7nm7)HfDuQ}a#cVX$8H+_sVYKNjRI$Z>Wy(o6f z6edOQJf!ZTjC}w}V=PVF3W!!YvlDEl{K=J!ga1>!J+7W1Ld$Of&9HQXU6xIbbVsyN zyf?hFLM=e~M}?D;oa_d3J7-7P&INm=3z4Y{@{>8%9>&29;CLB+QSK*c?gDX);X9i_ zj-eR{b6%DN!^^%S^nI@8?3wjl^2-6JX&}$S^b;CcGY-!$!(TM9SG-D8V{`%RK^!}$ zTtSi@LD_q3ee3WJ)I1VgPoj8H^HqmK>=itY2pWbo2Q^$#LNDMi@b5`@d8)@|?g`F2 ziOcy90PhLayV$cI-usnyXy;oXUBum0y?i%XQhcD=NF+@G9$Y64EeMmhVGYercKF;tfuWH zBQCazKf4w1Rl@+Uu6;@r#+0sNaDTOFG`@l(ZP>B?P!t^SZFSY8O8Cn)xo zq^#ITknZG&Cgr>I)1EBd9lopaH}2jt0!6=Bzz}}FspklKoGL%u$D^8|DVLGy-J=L3BaB5&jrjRd#%O=y#H6aFfSC>!im` z+e%DBKm4Uz7VdC(08xro`R{QD!hCGbarwH~y7Ft@0#H6^_yE@D#CfXy)$y;;NS1;YQYD8b#pf4DL{(WLgEGR!c8yD{|qlmzG~jhTbmzUiwj*(u>< zc1y_54$kn#=DA#U$U@xb&>yctmH!55(VFowsXvD1#=lBgR~wMuYlE!kb+Tk5)8S?;y~=H&dgo?i`}WwFx{)d2WPW zXi2W|UGn)6ir1gT9)jBi{;;>?Io^CnJ{7P}Ee7)j3j$(TD^_djycYPKwIp-32H0En ztdDA|yPg(x7{(EArKpwhKU0L1XlFM_JV0zK-|wuwZDh)rfW00F+B0 zF9G5b3@0duWEZzm<|TlJ9sUFv?VAf)_Nx0DDBL>mMwq%yf2BQm)g88)^L;t#3U~vj zf^2_ABoOru&J@tW%(g8yqa~56)dp$52>TmN%MFm~oCE^`+n9GC?S|s(p?0o@rTh*M zeux7f-Z(0^@8)R7&O2csJh4{`(C8F`bKaxf;4=V+So)H5)FJNfctpX^t})))qsJQt zmJ;pgV)uUh#FjF);jJEiK6JjJpKtX96D{~>6NAUbtMFP*I7IH3EoV<|IRHik%NZjM zoFlh-OSVXtzEDE8z%W-ANI2X`OVogD^12&~HI=he<`bPE_1+ zDM{1bOs&Q}66XRvS$8&9GNd=pvA2`8j?n|M#Fc2W`%M@`)*w2^p5jz&Nx9#aaO2%+w*fXQv(D1av z&UEAfxJ9JpRuFq{*==*|$WA=^S;p~G)b_tC5Esdg0a)`c3QgTI9upj;9H)e4=-U|y zQNEFjAz@fR5)b&}elN=g;K8UoU=f{#JoC?b2gyOPt8Hh!g}gBGticsEZ%BskctgEf zzTF8*Ag9=UM7ZF8P3Tk|XX`%V%TuN0&%Pe~FnV%G9(6vRjLDGBgBwocM7(k7C^chQ%aNUmDD3ejTMeXDFZtNiVzsHbs6cWt~T ztpi!SETP+j_=h9GF+lfk=H{zDPp1wOLEsVc)3KC-n=Zi9P8M7gc9>W@7XF7o5#aOW zRWqIs2JLUi8oL5l<)3kvDD!#SHz&}~G5{aHi9Eq(Ab2=HVt`7m{5ItU_DY9` z7igA1*zL9>PJ#3Lj02NNv_T}cEIdjh6cfuUIyiTNwk2zw?BhYX$1l+YjG0HNBnNDX z?W~*1PXTw*jLnGQq;i}ha|GIQAs!LH9-+GQgrmN`#gQF3_E3|M*BVp3=6AM*@Tx4- zDsU;ob?;!ibHeup)6Ry( zcAT$xQNSr-o0ver;TmVA5Yi<-RY-k3vE}ZFaAs%_xV#M6F0^-fXE@PL5PaR#Cly_O zL(N44RmaP=YUAm9vU|$PWsJ-HI9)^Kd$OylO@QrXSE$_9v8LU&vhVuz+~Ni-D_P$Z zH}FMQxxlL#d%_}n0CyyA=@uVr{-e9?h+ecW`bLNeFtZxe zzKD$uR4VA%ib#oGNVm|4JRa~?*e+wYhTSxIba0DzG&;rcv`Boz6SnONq7h$Vz$@5} z)L~aESc@P!O+Z{H!f8--dX%*9)Zv_g58zxJs5V~S#Wyp7M8ar(iPNhrsE0B(XYWng zOZ|-v?nUT3q^`i*px*|U3MwhNUbvPC_C^-tno?UDH)vPxEo|30&&(!NCocNcI!e

9Ls_!wBQR4Sk{&9P8HNevT=AoXM~7}qr0*I6#%+aw(>ANW7Brf?vuOPtxb;x zznE%mROAruiy@vkKK)}H;INLg)l4n{cn|2Fh&En)1fD8G{hgk3sy)~HsCF`<+cARs zB(|MgwX_X;RFk2%0CZTB`5rvdi3n#0$g@Z0)mCWLm4GPUqCbCzJmuhKYpG(k_HT58 zZm=QWbO(?MnkdyaK4h1y#ugEnM%xbVvWJD(HT%^D3d%9*W<`5?+)>}lD}A6em%z~= zLGmDh=I9|auK;m^d+fBTTIy9@>?DNZ@3fsxqFoon#_CP%V@j*yF8hJ}S*WH|77{NWlnLT+B|=pa7%o3EqV#^62Oll2qb^aXhO zD2TmFyPOP%=P8fJ6$96}LZb}5K>rm!( z8h*RCoU&tD${ej2=l zEW|#xTe*PmulMKkTrH|H%}f<0U*&1=V&$93@s{V=i7PaOytJ&OoRo7&h zVCYZM^~PxJB1;?H=BRkw+YJ{=anf9r@^Z@+1&T(3^AS^;uU9CQnbwPFHcdH7Bqdu~ ziaH8NG%acE4}Yvn;IK}|8H7{?l}M9|y;K{B1x-4r6pfVMi6+4btyznKYkn8Bs+$~0 zYDSt4HEMz-NgBeaW*}}Il~+Q}OpuQ1BNPuNI1F=HV6lIrSAj&-jo&68#R(R1L&6;* z$+nI*XakB#R#9MCXYv+w`)(J%sS}rQzMF48LJiLm?C~wL91^w6j2loSo1Z1hDtiOA zs)5BA-%@ScAWuDMYGyThRe64#M?*O%lV~o?ErREoYMNMU!r-bj|7M+QnbZuH1oGCB zaecRL7u(ss?L`9w7X3vw!#6&}#<(c$HL7f}og^mZZ+ zY%NvmMJybvQOV+T`q%?Ro?$b!Q(@`RoJk6kM&*tM;701zqYPLuyLHOzwej}g4~b*} z>D=a}Q$kGKsF6C^tL$-Z*}3^+V3OU`DepYR%n<`iw$Z(S(GA;L8VZM0km3!QL}`hh zbA9Hek0m@ZC1g~R_2PPnQz#ZV#W%qA^(jrEZqb|(u!y5#`vU9b;cr^8+tw-Ioz+9q z4YAh?vgD7yteC0F!ZzBbpkhiBS-{^}>Jp5kyLyTXJc@ubJH^5rDn~N6uF>_wB52Dd zA8j{26}0!O=&}yTv*@cfROaMP3ardlNjPl0bi}gg4#Q|Em*WHJNaC55p^G!OX4Q!BG1E`cC*F{~alL|WZMQS%csJNOid{VlU9P2V{(y~2|ik=Bm4(QZ% zOap>J&rb3iEj5IMu1K7Sa{aKdMA3%#8z@Bqv*5b2+xD|=V=Gi98ykm8 zDZkG!z*>Mx*6A@k7!14D@4BKS(L*S9dtiA~?!62U8$7;%Yq&aAVoQ+^8kkwiCiPdX zP>32sc*`hl!|o>40t9;q%_boX$YaF>dnvAE`o{F8Ke?{RKRJt{Akh z)GE4IEq@Y3*(Fy5t<>I|lB{oCLN5}8$hbgio={3AL27EK#H~Z+SCy6@C8RT~YEhuf zt%6;)S0R_}+lq3Yj}SAv;9+USd@~d(Mo70Gw-#Ewm$((=G&(Ju)$3W`iD5xLoE|Pf ztX>b;3hXM8G$Gsy=895UmRyMn91akqLFnGf5RA=YJ;%(J3qUW09h{zL%7v1r=}^Yg zJ~I}Srj?rnP1Iq_O^Xu~0mOnXn8E7n4!qfW-7Ap`x&Na;mvt#A3bVcm=hUz6w*gOQ zFv{ew2*p9p=W~8Zw6pYh#f=~V1NbO#6`(WUdjr`73d($Xu=5}5T087JQae~X&O6q* zX;7Uk7YOnMP>ps5nZ*Ge9;_W&UdkIbxoj8K_rrN%UPMqfGw%LUJZ4;S1MwaPKY8ku zeP}_+dpR*30bEgBp~xY#0S$imVqmW5fxVcNssNU6y6^*+`h_vle-v3smAgREx6G5* zGb59vjT+_4lCBx&-=PSq@cejp-2vMH)YUFG_@y+IS%yJ{S}`f2maBjOM?kp02%*@x zK#GVm3-n^|EvyfC%nKJPVTWGohJNgvqC_GHWfutL;B|5@UPa~;1KYdV3s8kRgB%Mu z3Q`F48vq-Ctej+@nGJ{)-~wy|R1ID&WIk;5oO=g_37i_I*0?tqa2@#^p2{GTw*4%9e2xKD&Vgd~0Wi)1F!q5LjsbVh0Vtx~O4%ZMcln?JFu!EE{HFG~SfCbzU}-bd+JV8rAD|{6CtxNZ96^dfhEoeB&>UJh7H}+CGk_=B z)q7W?%@|}lvgU*$A!|p;`BU<$=g^*=wK)=Q;C?jZG8}|0Nr;>j?rNQKs7V(!SZ3#t za%iw)s096F$mEePQqo}M?qeENUqdpLx;x;Igp~DazH~KYV5m5kMcp7AIVUaL2M-Dm}bD4h|W)8bv!LyExS70RXLpv31`eQ z=N}2@qf15F^%%tKML$Q^Y1Nw~y9>4VMJEFex=*x|?ORr8K8itWDfE&30P- z&RPS>Chagcgy;5B&p6PXB|SG;cg#1Qv_1N~v89UIMUE1oDr!(VAuj_|abKdTkd7S= zuSyDk3Y?CSsL52;rrIx0N8{ZsrFcN$2)BwdRMFA7RHvvIVGqYPGy1OXwlCo#Z8wkc zn2IE(Y$tL%T3)H0BIQ!z(>`2To`YE_0hdg2gw=LtQttBeG|s+S`|m66BF>z4=w45f z3AV=9sd~>C5eWvYIxvfsdrE;#%I+4yqyMz9i}M;81;~U1CE5lY? z3U6HvrT#sF$DEFLzp9adU7;a6N#X?6@b=zN_h8MNCUp+UGHtiY(5cOJd=bB!+zlD3 zB!mY!jIss?=!-h}BsEL@!rI#25UQkj*6Cgm@rdTPfQSK?!eoOVIvZ)QrgqC>H^B*= zp}S~wMvd{XDK8jeAJijZ`r@>6Y~ddyao+GGgfdIUyI^GdiST?$pNj-%>+3K=o$#Q_ zzl1Io!CG~LjJTJu=Pfyly?d?z#$K*9?}*zdfDT8*4fpKrXS*DUa7%s;Kaw}i7u?|* z&Fhu3tSvs4JL`zV)IXvhxZP#H853!xD}G{)F+_M+a6O}q^^qGjrtO`Oi%u~5$JwB% z>pU-XCyjH$9#zoeRn_|+GWS9oL z;D>f4J!S^&v~BEJ!7jcb-SV_dDHgpe=&9rL7Ff?lWyBRZQHhO+qP}nwykMR+qP}I zZQJhsZW|l1f9#&B@=}MqWaQ}a+6LLDoDZ!Eurd7UTlZ&cMq&dd@)SR5WtVugb;%@O*a_$^V~Sq24NhU{Uc znJT=6ii^4CYpVo12kYOu9Y%L-{6n)tIk#R=CIw`9Lx>fj{-Y?q7%%-ImM4HKf(w`< z%qn-ZOap)p^Y@Pd5Kq>K^?fs=A-uz~{#w_$&St&6!F+F7&&HWUEVzRe<6x&!fFOUn zlz+W;O)s6mUw^y?$Baj7H9M5#(Un zK|iwZU!k4)mWUlg+p9H$eF31i?z`*-^|}C?XcYL+C9}MzVH74ihOKV!$DyRlis$W+ zs^%W`Be{1p>laAd5_dRC(dO&H(ab?NQ$T;M+IR;9%_?-akX( z!6UfgLqCuxF?hll;pHxIor?E>A<*Rjpv~PK*sCqziIuiKbG?bTJ_oufb?u^e*5FOx zm)t8Juu__3p2MEgnvIa9&*Fz>2;DwfK|*hh#JibuK<1a}&UYQyR%m4qS&|R7Wby!fD2;+r0d&8$4iaNRAe)-TgW6ErU zAqy*->D2X8CS`dmjEG=Xgm+@)n?4r9sb~|~o`XBC^G18Hkl5cB_^4y#esW&X@@yRY z24%Lk)boY%(wFJDy1wv9KxgRlvT-opkpe3k+=$n4-Ti zTK7ys9z^ZmUz_}WTv|J~c`o~KaN@{|SnZCxDT+8#XqUqu>PZ9U)(5wikGRQ-;3?*K zE(2cQVZ=tLWyN+ow1RoEB5OXv{eY(nKKW+w&c=2UNejkbD+b_pA{@s!iR_406aBU= zd7lN&JaP7r#uC{hQ*(IT-aEm_#Qyx#$`e7rz+1o^xWf{ zUrI^M|9lgb?fD$q9ERSDZYjmSwtuOa^*erW7e+E$;r^CVG(vyCvo4=zA92(OVlQAK ztq&IYfTc)fK*t4x%1ZK9SP?T(DyH*|Ezj`Yl!KkFq!Z|wZ0Ty~_&dk7G!IO8v~-ZZ zobNC!;%AvBG|#P^2g~tz4%ihxnl2#<=l8PnqZMS!Ug+F%dJIP;&WVI_F=o=@_K+eE z3Eajblnf`fThI=1dS*UjwJQbTwj0EbUeC{Js01%PEX6ii%xcc&76k`4r8nVXv0(=I zd5h3l0|Un|Kf%%Y3H}Cse~gZdT2jL~7XA@Ccy~o6z(QkK6s;Rts3srca@9F{R_BMXAjTO9=5wNL_kRXMZ^B` zpVz;~42#6rDQX=DO_Cr{5c9{dir$`bA{~yIF(3Dj@x0pDJqf#;dWnH_$_bb|?D>4V zuPKA?dcUW&JZ)?jRInYo*%}!EJHbXayj-0@?{`sSCR#9G1lTFaDo9D4GITSoCI_bQ zLQPRC9Cg6*xA-T~iqB_uhqR{w4iP*1OunQ14+?4qtWu3;B<1IDHvFt#DUx+k5*C>F z&A+36&EaVj%n{;ZvH7$1`1xs2iGP4>O zO*}?};8enSN-TciJeC6^W8twJEOKYxcqX-nDQ+}vVCGC4f)XZgpS)jhI*~eC#A+PJ z#I{)Z#1-%{{8&F!pF9@4UE2l%v@1i6N7tJ;r-$v+o1l|ITzUdn(2014&UI4_--(e2 z59nG1EjNz_x@eh&H_P4%uWP75JplF>$K8G_MO!mHD7oco=_0dWjm_|J*tt3V=`Jk( zyvtl|XUSJ-EEygy+yfpQwAn&2hGbmCe!?ai!b|lAr9&BpFELBUa>GMu*9@AivRb zDNd)(XB8`>RDKmtXp}MhUiPl)cIdLz==X4MBg5so>{(zH*(s=|Nn}(U{8Us#{A^sD z^lU7a;*PKy92T1*he%y^RWF&QFz`{(sSNxFD#5nTi_zxt)ACJgI_ryrmpOS_&(L(a zJ?IA=XSAwYv0{o&^j?bK;180sd$$s2IRhHx_656T`R!6=`S_^iX&ezbCDUGBXsQ>` z&uA@!0dM6K=qU|rZy04b2JAf3e4WQt6~X5J3Yz1AmEXv`iY5=fEs%Buc9O7>a8TFk zZw2+1rILG{=O{S3n~X$cp*BDyEy3oc-$M};C%>u@Wyt1h8iyWUiqb6EPakhe$rzL2>H>b$``AshyZ0l{Zmv9^P{ys0N__*DZ; z?JTU;j6d79Fb}t`wPV!TYX=9hS)sqNbYUd2xYo7WVw*!CbL;>=vBsJ$(X36NkR~dQ zjKPqMzpRrhtF(*bv(xCb!66}eaxt^+cm4mG8bgpEi*1F*mY27&ufQOwXC`Y&x}WU6 z7($FAyu1yG1~e53%}X8X;|&U~dG4OMMqc{)VMwmk-Ja>*B(&O2FJ+?TcJQNT)-rrB zbo-bBc4u%1bLv4hx-n{@bhWl5HsBjd8Re4YKDW@f)Hi2YbLSYH?*kDWPTYr=W@d(# zhRVvm-7mDKlTgsif*b!zOtsn(iZ&`J+Yl76*Ya&KFHqFKIdL(UB53b%`Zj0n-OR2k9P(L zpf1;nTIP>i%o!e2$S}RxAj>yEBmU}aRQ~ish`jAxYrK_~x0+oV!cg+z*yV-<>9Ztm z*s+=ervEj${&N#r4RcUyb^z$3(iBR13-RG>v~%QjRxXppaP3UyVwR`F%^6nA|K*Ox z9-YhxR-cu(AFJL=O84{k&R);jHyyrnz3I5HVT{c~Z)K;ertUYU?F#k!=@;Kx|1Nu zdWCWNGE?Tu7DjO;3!7gjek|~bWKZQejxqgzG2V+zzBGVo0yd+x#4(@?=gaB`DNQ6zM!bH*)mCX-7bZu_=;mU^zI=yY*RPGR|wRyer6!%XNFP7rkmZ(0d}`K+f1 z0At*YHvfB`!cF>FiZH=nCDN#{7DD7E`67jv?57-ITChyCLGhoYqs7z9taSK0)`xX8 z!+`!g^L#>Q1YkgWt|fBtCtkJ)?5!<8dA@$yyH3I%?+w}QM&0B=dDbD;CY9IV!{q4k zw*eDCd;V7J!+zc>`q5tJSUm)2CZu=lc6X?!r(wo}8-tAw3JWoyO$`n2u_33JFyB>- zMl*qDM+E_NfIsdifgVx7_7TN z!K49UnSknon_pR!0$Ps&z7Yi_(wSZxELqQM1CLy z#7GH5i*N=5gcm6id2D0Y6|97x8CD$@D3K;lUI_`EEb^h^@0>{QNQ)iYGys!}MkvRc zo-|CdCK*ja9cHK&c@$QH8`uSPrB<9J3`8cJJv7k0ihsxBTF z^lMH$nCinOKKz$v0SWO$s*bSL-ck*Ib$DE-?^SSIim1O@&{Yb-83~+i(GnsVTf#{t zwv@C(`I5CZEZoJ})S(jb%)!`H4mnuGl6FuOnM%a19m>aVV*bs*=YZFci}= z;!+BthvRZr_0lBO;BMXMFD)D&z$N}oQgJ?F;H%vcpPUJW*PDV{^=%H43Vo&uv4bkf z6tvs!dMcRqg}}p#&>UnTX(_F>s6tL{>Ucp+(yw4ZdJ!i2m#XsOD_C52bgWp%iKMjH zi;=pbr8DS}x{VwiJ`^;|yumwVmV_Dh6szHyc%*2F8QG*d%99p)%V_J}mvBy75u7rq zUXuJ&Tu*isEs3CC(kP<;G!sA~7;&;iaTbaeh?QwFDN&q%lGNB#4LCCddlDRJvjqr# zw&wOBy`J0~r!h>rf{BjfSKjO`CkxZ#9YG=(9rEVyYhot&73EYhH!QI2eYiv8(GpO<&^h{ZBUjFp!0&}rqu+gK4r^U z1W6d@z_jTn=DZ51f8j8ne*B-1wna;cKobbh>ew>Kghtd%d|)il|BKQZ4*b?-}lju4sflo9E>$I8Hn^lvI6r-BiO^baQBvhSUO&aneDCaqpWs>@i&($=OFKvfoG*zl#+*+6C$V%Zs zS z&&mYI#o2%OL)g+1CZ-vLQ7mcnMN4SufiRCL4_W<2W%9FZs%1m`o6~B9BtE#x?&;Ac z(MoF@*_=7_T)+hyDwQdEV7#i}j3`PXYq~$sz6G9v?EGTJI4#+*Vn9n=73sVz!(mSx z6UDp?%OEia6tc&Hu^fN~)@po6WXejo{~+!yD#npG-Ssm;$FeBK#|$~LhL_j_@k8$g z`*3M0h=zpt!y*YkAl-;E<^bt)VRN>VKunhw&83qY=_#U7f`qHaXfHM6#z5OMZZV8inwh7@W@8urbL7$&+U>sa%q zkRs7aKuyMPuH|RYt{?p+7MG;md}fU+3s{C-=EgY(dl*?$`oS_s%AvUz3`UEtIElI! z?U1dbSC72M>`*4sfLTWAm?p50DdSW~&Z$t}=WUR#!KFlhKSW2rKd>!phf+|FG^=t{ z2rksruN*CV(2YXEm_!?qZikFGiz3{H?G0si$`|}QK6D7qT%?0`iYE$rY?!n+hok z7Hra2H~-NE?|!%=OgTuo3%w{|ltPJEb&@Efmv2}at#o}?fL9R|gi!e{s_NdEFc|8V zT)n!?xXd21j#`zn6s6xYUbp;ZjO8fIGpG=g0gSk^sBw?AF8xrrOtTQ3#VJX&3<$>b z03-`agObcp4N7o$Ppxne&DbnRv=-v5F(#?F`9d)Syil#IH3gK4ai2!HA|5YHnV$O3 z-z-j7(0>`wua?k~rk+aqqL~$ATF8XdNzi3s#AhtpH^y2>Q!kdM9Y4l!0mbw)u4-k31Es!F|dV2sVIVKqzuVY#~?~3*U*w`z#+g+M}dDh z(f^|L!-^SGl7~*9%Am!u!4Qk6*8oRA07C`&Kag&q^f&c|fj_0=cBoP_1k>86&I~t! zQ}2a!fB7$tmZ5nuo_o+wzB3`+)bMnK&0 z?;nt+sNiUmC=BZ%C=+`!`l$``2$#Wdk|Z3Gv?LEJbOeUfvX`Uw+)gI8N65BKMj6Up z1*u)6jMRy=ATT&`YGM?|xL7jo8?`u$(jSl@RWC|I;EO9^%x-GVs(TbdBOoMQGKdKb z!@$;6%PJ}Li9krwiNXa-Y$l~t3WhgWEF;W6)MkNLOu~f8A+gb(=M3n7TM$~W58+xQ>y(f!eNQ~5N zTKJm=V%R<6;^^7`5Rb`F~Y?=5O_Ahf`XJ#`HHol5Ahx&B{zBC&^=0F)Yv z5iUzmTK})T4R^+z(Sa>~1|k~Dm<+^O5%)m6X(-s0%t4}N;op04bYMcq+|g6kJCrFS z3LstIb}fQ+07!1j_yQVIH+E7HO`L5_rZI3G#Yf0Ji7Q>H-l+stdnZ^!5M(bCX~&(1H$t=oSg-wW9B?dy8?_jvrixoz@# zb>3Z1$4dlzW#Q8?h>-&)G>iq%3F@L&9hasFR)d%FQ}1s&X%?nH=XUA z>7C{EGvNxt3ciG#UYO2Kmef=%&oicqYyjy;?V>_BS?;>T85!^`c$_HzBlxvC-Qy{% zBCevO!c@(dQFGob4TUNa(wfftw+UDr3Qled zTlp;YL6JI4e}?_Yc+S&1o)gmmag2a9cJ7d~@m-dtOX>qPzYjXYPt zb^x};HgrJ_SuMTC5$f@ipD5RLhBbDYa2azjP)y%Vv$S+y3JH0D*`vmw@EF|)(4AW7 zdTH4LJk~NRe~i$2e-P6Ut6t$`%DD52GuBl0zt9wMIFfu#RlIy;c_fj27_1fp(up4iinH`u6=@xGItXxx84#Q z&E+!(-B=*v@^FV9$Tt&9)EhCQKz6g^k6j!Q1gMJrTy;O)gBpl}t_ML)G;7#HDX0=< zQb6t}aK1#jMnnt-{(#1+%Qp=6cT=_G3J;vTLPtZj6wB*0AGs|yOt-*>8#Do)qlNU0 zSYKgubhlnE1`RO)JR^D*(>&_)w*#MV8GTx*Jn8U?S&6h6erzo9f0MRN7+$K zPfc8XH-6tVHhUaK-!;0vmW|$_2Ac`dWl-DROLkni;$-A%QGo?i0bv*wjDG0PR(lnj zt(UJ6%i73QNd0m7lCC7}D|&yq(3r9UGHn6=zn$pY`(NbZ@tE(a7!~x=Q;2XSx)}@kYSea zb@;H#yd6r&sTbGvW-DhqydMkto2$h8)STphueB6rE zr@FVQa7fSQe!|~s2srk1it%qM)8n~LkZzju)pa{wt`m6_p*O2_-3ZeWOdswFYhm$bBWN-ddi#W z)7ST~SS&H$zZX{T9m^FN-t4%RDd>!JU{^7l~rVph*Uz%aS*R6BYePye-u%`8WPBG%dtG$rxF% zVS!s_=xR3l$%Ojc$~CRYbM}?id>HNvoy0s)_SKqw6>|tjpUR6)RokWXT*7qu({EQ^bsQV|swuV(WMM63tcLm2 zWEtjQW_pOhY=f`Y1YHC0c8wzm(_64(`%=Kn5GKi zaZ=S^e68+9x_PIbUT1tORHZvd&Ztmd;JwncmAq*_tvmiUX#g^mS}lecJQrxi1&xq5?GwRY=n0K~mmhczz87vom?k|^_h~zILZyYzm z5l}{xIf-Aogi&R|29tnG>EI;Hl;N_=F1woKVGNK`~UNpyk;dx(=K`*&NMr7mA)7}b;< z649e9o8xgB?9%4NKJ?IoKx?NLK=R^ydEN3IM{_#OH|t$k`C)$Axl8H$rdJF)bl7>E zgw?@gI<$+J)nMxEb=GV~GV4_3qftNM$z*o*(_ zHd#T8Bhl@3$HyJX%jaZji97FskB}=sgyK_OY5U$fUT7$AkJoo-pg4+NJF9W%VDMeO z9Yt}?Y3QKn412n~{W1InD?#?FR-Yl*JGnG7cKNY;?`XP?^IhZ5)n@eKbaxfIJ*_xD zP+&_x|3a;|(CF2&6u6Gu2PRSwl#@^J@cOKpe_204eEuZW;;}x_krek7z*^W~D`@%c zIIadIF%cKAm|+d&KeB5PU(gvY%jL+BZ@~HZTE7Eq{uA%qA6|Q(Cy+CEGRkt*z9B0RIC#6Hkq10RJ-+Je zCFPE?^vRg`UkG?H6XAT5hh+Xbt&eE6AnsVe`vj!lk9yMd1-3=8cp34ow#dZCwK>d2 zYkACJrMu}p867$2(7Tf#!%FbW;5?-=9yYK{x0_Roas%Gt<~=&7g}lBjofD-R~|3!C+kGYy~wn77drw7(5=$Z0E=Z#DhWxh z&_LaTRoZ)l6I}tg$ikh66E%NN&Kc)ho@*LDKj)3N41Aic*txQ z0mi*m&ZDi_cU~RW2<~mZxjPh#MlYPa53NZqdl9HLb)Z^#o76M$yy~tW?31ZZCIwZ7 z2U9Xz+PqTO9AAc#TfH%t`B%8s=zMRy2IoJyoUJB_?FtUkuqr%LO?_K4{#*BJx%n;E zAo#wRYEH#I2@#KIOJ&tVsI$LXy00-NQmwZ!Vrsnu;bOBJ5c!-s))`JIhDkLLWV~cm3OC zI-C!WzcpBt>!j62wAG(wQ!+a584W>;aRv^q0?fOQma}#5btQIU%ktN&X0n^^Yu~#k z&tsuE5M|i87M~S0`Mv(y^`cj!7EZX5hC<^L4#( zxta0!)6l(Wdxkub^w~HzWszt4?%%|_-ZghToX(aZ06`o1q~J0xFsb zQr7SMp!KkH4KM&tjeD0+b|Mr?1U~=t0BPJ04g{YR*Ca$nkw=evu^cDfyX*5GP?rC0 za91?CE)3oTHnv}xN|3g}_+`s5>r2(4fN%)tDXaJ#JWKa~Pw+1LYMf!5&YIof_wDnl zwkdj#uw}^Uf!pF3bNo)agZ;y!{?s8IW4v%?wDj4MUZ>Na_exoRyMd$j6<0p}eOXsy z+toU3x>J^gHTJ=U!#j!f#+Z0&hI40_<}_Kgxn7%#FeZzCV}W(qFZY;`2pMqjcC5 zw>^I8`MT1YPDR#$aKP1Fc#uAYKV%_LCr@zo*F#No@^FrDw+Zpa-`;$;+3V2Ou7Jl` zlY_@`clW1yv{O!?x*@WAiI@@{dfz(Ls&#t6_3HNLsWl$#s>!JEayzU@*zFk8+aaG? zu$Y2&DEP-1!-{QBGt!jJh&uE-{8A4jHBSgp!@p1`H{QjW03~$?|!e<2B`};hAS|eia1H% zCCK5Uv@z))mpOm@SVnt)>-JXv2e3eKQC78l*wra9ra{ak#pUf|B^Ts7%)9y~?50Rb z+He@%o}CaP2`~^SA9)6sdS+R>jjc|f<@b3!$h_~|e1}_}m5@vA3qRO6a*Il_55Y^b z-<|w(SYjc`gxTe!_gzGJX>d=uC8nsAV&dPzBH8)u`EIm|H8*KkjG?u?2fuuDF??Z< zwjFSpj~JydBsxTg0-i$|-k8v-%X?48C9sT_`OJaInBYQtSAu={nR;tHd zz&+3hSTTN;4>Bd zv}3T%Ish~;@nqDoGd1|8J~K}RN;Vl58Tu$R&diCEp0oKLZz4bVQg(-1dVV^F&h>~G zOzl>8bxyypo?1B4FHhd4v-2!BCazkXj>X!(gW}r^@NGRBUxVeg9hXGPKM`uRd>jtb zs$WbxUA)7=5$@dady95IzunBi=(Bp5N|+VM4SLmj1Sb0(u}0=9T)aq0n8s`s><+ec zQo_5&uOpn(5xX&tDfGJqQZn=!0BY<0>LYOgKzG2kBFoz6s)LM0o_{`-Dd60W)xp(b zh4b9;B;*SSi$03Ysuoo?8;bfyDpZaDLvaYrY&FP z!X5jOuf53HinO9qZM>){2Az(U>i!K=V90KzfdCBjO|2kar)KEIqIXBGWJvfZR0RtPV!kw1|Aff80W8En+Pn0Y4nSgCQ z4ck*A&5)?q29_7hAf^_J}huHK*yQY{ceLhE-*5iXrX*mzl2&0iF3o2wvLeb zq$^~4@9c@G&m~_smyq=M_;!d!KDA~xc_US=_?OA~@qpKPQN-y!_Tsh9-$oqR?NM*z^CMY=zgbaQclywUjg5iN;3_gwO@J+8)G$@$vo0$0#(L> z7@Y$*frkx#8h1)>7g8F&nW6O@pO>ud2$)`*0 z$WC|Ty|^W}NAp?fJxIB4h520+pf_cV*QgHINOR(E`mNw5shDR27D>3uXY$xO24}Ff z9xU0=p_rp@JDYD~B=7qzHu&yI3C9Px8o$SF%t_#HvH$CFb&uI)5#U6iLz(tDa=0s3 zIIC-?;@{=F_00Eklx;mQwi<7#gpUaV{vp6j>LmUjm{aWkUp%P)%Qp@=>tRN?uvh-D z^rex#=~Q71BBb&^jc15*K0ssY%;Dnf(M{vmG+jn8XzPT1uTd7~GOx=?3WWf!b$ry= zeB476^;RfQ`TXT7kW;(OF6XTc(K7IxHnRQg1x!`FkRK!`sqTRyH=}-@GQc{KPxjuO z+j-gT8fKr9xU^zbIdDV?oHx_`$~07`;n-}{&64|{lezm2u~3(Dg+3!&$97SZBzU>X z3+cZ>A6kEvByS3ORfa6kjnQjbIgD8N!SoK`uD!snMh zRz91(De0`=3n|^~vqh)JOBus2T`WyB6Nb(o&hnr79+`POEFL%8ztfYDp~%7;cg#hb zHr{#9ZuPpA5>TIpPudECFxUPa^r+;0ASP>GFQUVzxe9z?imS+>)3qT*Mg6Y;s~FHP zguN^LhcSoAeH%z^TOs?qAt8f6540s+&<~0MA@k-_CKcib z1IcjDg$7@8Q~8Gl)Qrc#`bHot_JP)bDvLOHG_+=L| zbrZ3xnzfT-oNC<7>_CPhXz?L&tXt?MDtisxwh?UQHp<(#Qx#o9>hTGCe;R zOUS&KP9w)HqT=p2Rrc#Zu=J-DT`{$Z{I>gKpYbF@hF)X7IVfdDIU4 z+3V!iNpKp^2Gwf9&qVi@c!~pmf#S&c7Dv2)Q;dJT566|hf zaNCgF{`eDWU!U!+T7cGF=Rt}QkGAqt10#))$r~oeA~R+6H}<5&!fjKIE?r$-_cq`_ z_G^}zI5pFm^XPYOxH+G+S-Mnkw)V`~$JEm`y~^Ne;L!-0Y#CFqcMQulS^UKtb9T-u zPcWNX3YxA_6_lS=iY!KjYG+rCgO+%a+aq>bAOWH9d*RgRP3}HQvz%^1ncq7fD^vo1 z;$Tc)l7=&)pKFLQxg~Z4`#jQVk|6aPR?dHX) zz3EWneih}hCBkLgjiVaw{b8sSP>rf;--Jvx47cUYW|mA=6ns!-uMZAwpYd0w43 zijb-X7mIfVx#TKD86W4iF;dqM#AIb`UcW_uvOX5?=8+J_4GEV-Zm!R-i0*-R^=hPO z-5q2_k`LG&%W(RJJD7a?u|Ap<)zj;j)~{P>QOe!Rj(4buIC0~k>|=Oyt=Wm9N6fnMdE%^uTyM6%)5 zY>H>A)@n*-1F@N|+1CuwrMC=#e#TIo6Z!^TZc>~R{3c(;qzhSm|o$ zC9EZ^_3{O|b+SVlB|sj%MIF6G9#u2iW{5?EIc#L?mBH+j$GpWD{R|~r9Z_HCocB&^ zS=KhDYed(4tl?UA*Znj1EtKL^KjYexpeaQGDEy@kGX&KzDDKryL5AE z^5cs?bt}2KzLYtjsXo~D&z>Q_n`Vj?@UXy=GNnKsW%1ZmDR2A!uB^Oxs4!Kp@1l4? z(GJZ?0=f-H9W1_uHEqTaA3Hze#KNm6A$#*g{Ck^@07on6f+WxXW@2Gsghhd}Oh;>dlCzw?m;HM;S36EAcqwZ|8L4`Ufp$IYTLXL~1r8uGb+J!Tqa{dR_Bba9|<5s547OvIJA(3xPKNyjrI}t z9|uDQITmdcnZ}QSI@n9{2-V<7-&u8c$0}Fig}i`!ppJ1rP?JC>W9gx(=-NR&_VE-y z?%fvT)ao6V!m zL$09X{;RG7Pvn}(ERQG7E+rjk(Q~-00Be3je<)t>MP93kQtgSRBb`lJ4;}p0+<#w- z%w&IH#0HHi*@W}vY2L#42A2lG_u(&_tS%Q*S?P9y^22Wn9Q09o7=k?l61oNsM9bcI zJ%{AJc>7VLuAH)h1?2YSk#0iub)nNg*t`oAM0U!XEGYu`9&&bk!|%|!gNMqu?pS;= zywUmSuLc6_?r|e2QH@}?~v{3M4Q9gieK-# z&I}Asq1tfs#0tbd@9{Yu5wr?Mw2*8p+Qr@i-<5va&lv$$y=V-eu<2QI_a4RKs!#y& zG)tzpPOM(Mi7`S6f0F%I;ipGO!F9dI&;paCx%;(!9czdzi?@`w1SqZw3K#N)&9;3# zjjcqRDY~}f&6fvDYlevOr1xz|n%C^vBm!;rxm=80CIygVxI%;It4esjlfSH5HC9+& z;ACa&J`fpsI_slte==(KE@uvsAEK>g(Eb84qI7&WP<0RQ|5Dq70M4BW>CKX?jKqpq zAT8*r3>M6-gpIY#OpV;^&UBq*^z4{M#oiTTrfAX+%ELc|fk72jB>{I65?v$5a&a`&S21B5Gv?hJ z-Ji9Ci1(q2Qna6-n$32x55O;z>HDocymT#2c`v=vOYodBXfCXGqNe(O zD|eUnhHhp1@okgofj_^OY?RcImB`%gY?8SqbhfTO%271HtMO38=m?h0PDp(uoM->g z*gF-sEW>fB+{&Tw&IiQUBUUukp~K41q|?`0>H=d^5Ud6pQqfYm8$!N$bI zfW`PR8M2{%=j1Rw^<#>`Kdb(vy#uT$L9{J+jC-tmY}?j7wr$(CZQHhO+qP|6bKd*; znR$OQd4Fb-?#k}nRl9a~C7tfBRcn0%OW0+^)V_1M-g@VjY;k%z4Z*{>vT50vZG5w$ zj4Mf?!Q1ov(Kg;k*kxyASG61{x@kjIl!KeW&A&T)g?wi=fvZyfQC2nh*-E9o$1ZVb zLCh`J7*XghwqBJ}Ns*piJFjASq|&eT^Rk1f$zml44l0l{$KPN*X=$F^V9?!0+%kA_ zeY4*%Fu7yz*l{eYcH5&_DY)!aPNY&cG>QKeCi`eycW@JvGVpEsFy`xvSj5w#uW-QB zQzI@{hUB{hw1%-$ql{jCbD_wZHelymiHI+nSQeL(p0Oe0c;3@(fb~s(7F$yfH9m zgd><=nbLBQ)``-X+HqN~TDO7E#wZSbZ`{vdxkb;gH(07AxCGYdC&!TfL8oqQJ#B$y z65S8TGfB?)50hkhns^qKiKV{Uf|KHMY2%0N;gr}n=cB>KK^*}e(rpY7Z{yCUlULhD zv(CK{Y>x5OK7-=!L(|D!rlYE<7^``*4PKlUSwD|hPdWv!K3g^j0_ z230f+AD?>=DI#~M7HbKz=|xL)X_iSyjhZtOPcn0J0(geRS+K>HmJ(t$M89@6;FQ!NM1*lTd@^&?O;Qsq>W7bPsHPA!LJ+^6A74XD?_@R5j-p)4w=`m? z`=9rP|4ky)2%f1Pj44YG!2U@%5A|*grxaUgIgr%ol~-lQ(1~+Y=isqj);n0FJ2g9q z=l3bzVAshD_B{XxY}fkStuR`q;#r&18L$xlY{ z2u(>}aE7k;SU|N}l9{=b9B&mLjXK^6EF$QzrPx+~*F!1N0|C{eJ{dkLzu?xvB82PU zA{MRF2rzeJt2y1)4aURj(4h2T9vRhPlN8T9g zJXlz%_z5{u!eS%qhe+dD6ooDwl!t(`nzu&7Y)tTt?3RK;5Db#dEHrw@PvdR7Wr%ev zCLkAlwk<9<^NfJn8!#%rD4&pwBPnZ&5fc=6{uqnDtE(2?m2}IVOIzoV`JwUKj#JhU zq>1!h^CkO7@hN+hLyI&0L&FUn1Zn;bjXoTr5ywWzrvTY!l#GvpC`UIHr~xM7KoyY{ zmupA}%sUq4TZNZ=v;GA3i*b9`{1nj^(?|v2OaIaxQzT-q`xGwgh+`s6e=3kVOW0rsRX>!@olhgFT?JWu?qYx_Upu)>d%yKZsRMO*%BUloSq^iY(pz0?O zQsltk6Y|3=Jq7EczzD?8?D;e6oIIAN9=Gb=qiR00f-;Aa*uvB(@_?#{?zw~)-S=tE6+Xw2vlhmSf0sY%KG z7o>d9eBSiSohY_ar|hwj$$ivl=GXi+t4qt(=gbiK5SH+zE;^eNklm?8r_8RRX>?sCTu@&a^;Ug%T0i2 ziCXz%eK=@jf6aP;Ls4{7pPHSbX1MLX=j>@O>z!Qew$cpzRU^KV%}Sw7A@5kuYLl+4 zXk*0wwV66Go}tIF(tF)c zI{FANZdmF_wvxg0DJ&x%vb=Hc6Nm^yWsM}Gsm|c2#7pg>H{^Gbj{@5HkQxkX$JREw zzn64^lNo!|TiC=o)6EVZ-vS?lhvovGhHES)+? z)EP8wqF8(KvglMfXscc_9N}kfQGQ#R-~$)B!NU2A216f9ITjLh_NI2m`d%Yi)6TkK zrn0bcFVPjg-Vp+BI{0~dQ1c`-O{^@U*5+oh>#p;ZW0Jj1_PpqxTU5~(jqcG$l)00q zOto3zV4k86S23aCO=j{qflu>0JwZGnQ5WTf%pAZ^xa?WxCNm0Ih(S26SAa9jqauPerQ?;;f z#+ZaCgHpoSs-(l<5vomiN z0ZhU!iEZbRa5CrtMTM(gnxSDo&^;D{F5rrJ%4Q)+hHK_ zbA3rr&DrgPsVW=}>+Z6xf8A8w9qcWpQs=B}X-WPd9``+OwajOGJ2lyqq})_)Mpw6oisX67wwE+N$jOcxgh3b!gvwV z)|QWHiqk)1%Zh9L>rID4UD)t zkYmp2%?}mw3TvqcUV!gy^cEY!sF;o0SF^8TT}=X4V;aluH^keQ#p%o@-966t>bX4U zP}}+&&5PWny4T6iR~-XV2?5S(DX+^|K6VqfDr4>mXW#dZ%NkOB$%QS-925^EU|PmI zipQ2q&uDEDs>lf>?#8iwZuS3^E1aE^s9Z3I0S;v)lYmY7peL zUr_56=qyss9@uiSh7FAF;B=A-igg*ZbF&sxYTv`sF!qYYdVT> z-IVmJH=vtb8B~5YOcA#`M9|Rin-2EZcHnog zfJfKzv*n@7<$xs2gx)~gVq?14TL5bAXYUp|29*}ttsXVBZ-kYuoxB8YZl4>)j=|kQPIx}GEGC_B=p@6f88>y> zc1X9xZ|oU3uP}7cf^5?FoH2imHK892w`)8kQ5W@`W||~?4W%4VP3Z`OR_~ZqFRY%l z92;rOo0v7>G&p`3Z#;v(pEjTU;r@j>hRv=a<-Z7WEonMSIA1JcCtNpre32XiQD z^BR5)>OUmr=a~MzsKi3V$dHGzw>_VS*9(Yk z7rdXBp)_dDn^)j!C0=s3aJ(#LEzS)51t-OwX4gD2TjFIP^_)sM zI2uUlAQ7LLY>=?P#LiE#Z+t(OtM@pK=-oW6(3b8V5d@bh-QgANq%Eo?5o zx{9u16uNVWxjq^0>0YiXYPn2T7n|%diU`ti@wj4ZdHlCkmImm-s>oZ;SjXD>SY2kH z6;;?Ds)64%FKXB1w-9MU)&whAwLY!qhriubm9rKBPFisG9-7RS?pLj@$>0v zak1YnqwF}%nzd8^j|2m;#(u#iNc(pUoYe4y^_NTVn3cp)NKI9X_kNfBeT&h&nF>a{ zCoi{A5w(w3(+aJ~*LGbwBQ-bDB&_C79-aGpuzZS>OC)9Tn{~%ml|={NYBwR-Ro8Na zxJ$#np7G7NB`qda{7zfjbu^XF#s=PVFp>aH<$8f}9KzkbVrj*>V%wvBP|AQp$bmNF zbq$^NlcRj?NmcIiCaT|Y-ms=y(s-SiR-JJKMOVyl5x2QZ`hutBxnR(dyO2gO)>fiA zXWPMI62(nG_ErhDV|Ui&-O(P8(T)6H7mq_3mGNuJutpMSp9HB|;4Nv*22eToayX)>4?u`ndl##HH6f$nny~vtu!{lyCr3WW7??wBgC56W!R(=@y;q`EvA=>c5;BP(#UEfnCA83}!nInN*a}w)2Z;NnYqjzR`UeS@3R$cA z<(!Bf=B~MxBgQZ+anz3b1{(drGx)31=h0yZanFDRF*+jo-VXY-v15prSC{hg@|Fs< zRZR5b(eQtQoUsf;Vqup0Nyw?SNu-;?WEj3akOkulZwF67)Eb$xnQuGTB-5!J^c&QA zq*?b0&W1_XV4WvfG%-v>y7WX=^*j6^5%WE@@dnZz*2E#BjqCDPIQ z!V^jAy(#PIVlGTyLJ+X7OtIfov_7g#%6@7s%6guzW~4t?%0vQxSgryO2Uq)o&=IUj z!;%KY_Kn0A55xM#L;^QL6ex8_itM2!NoDI#2mV<$Hn^yJa{W%M{G}8#Y$FLLECofl z%i~?lzy$-#*zn?t`>E|&d+Vj?`t3x^MG9m9%wnS<-vFonCPSTDnyuzGy9oN#clf3q572>^yyaJ-~aA5 z^z^(Gn!i2tTe={(mzIu>u03h}Bj#6uIRo|}Sj|Gz)UpA=HaZXtAIp!Eb1;n*&g1wT zbMVcS(0pCfryVCQ#R`O|+7ZY z`}BS@c?kTm2+89Fbi0A#|8S#%wn!X-#2M7??Mv$pk{Lr|C^#nuS+~!0j!aCJ&Vgw( zhL}J+J&oH!a+<>308A9;>^FCY`1h%Js}lZiAAy=F&IHXriljQQbnsQTVG(h)03AAU zm2`a3^?5=!1>a&_JC@$EKeg;tZknDQO_Mss zI{7k8sM=A)-y=&LW;E0;+%1q$T)v-x@jK9jh^}! z28TG0UL4$|8*83l*EX0wZR@i4;an~vY8t1O!y-ld!bl(Ctk~>$=|3Aw%&yLBMvK=B zik2B)d5gEO6l7H~Jo7si1p4p`*UTkLsyzheR^)_U1b)Aho^?>$JH+MXi!Ex^TNs{> z+qi=~Y;wpJAaz>bDq7cTwyhpnqrKbn9=rpha|`D9Z5v~>Qd>$@Dq`8>I~gdcU8j@O z2M!Fbk87RDY;Wu?mJHG*zLcx(x_pX;Z5C71m|u>sWyQNqa?0nghRLaRAxf}lyS|Ky zGUUHf|0I1npTS`a+zYQ@s=ZXBl`Dvg3gc=BwhvqxIW z&Lno>mBQXqpnI$qTY)dAw83SMZe^w}uf=zM>RT;UH2NTKXh&XYjXsyZTIHyweK|~) zizbY*#@=Bt>aJeryo*gXRxa1~Rw%9BuhnK0NrI9}@epBywSq-KKITEBL_LmyT4HC| zXAd~r-n4QG=M8_Vgj#J- zx<6MmX(zv=d0m&e8{2YAej8=D(cGfbE(kI5lggU+J5F0sO4)R3ufD5Xdubof@DN`K ziRRUoWwkau5aSIhKlt0Fj6P7FK2(D&!jcBDc!JBjS`n8=|5WX(qtJZl@D>-$Qxuu! zl3t)=_Kx%7$voL2w;r)m?z2!ziq`%4+Mpc~1uE7h5RiUNWV+7M{B_qQFf4bo zHQdR~Uga^bdGRQ=m9VT<(;!`g@R;IS*sgJ@mt(Axh?{_GaAR^);@vzhaR^@KlXS0K z9^Y3Tf6_1k{*#%kGF;j`b3gX^)}W(2uA=6hOm7#so}Ce1vjD<1)68y(M*{eQ|L*5=sP?qTPOns+nng z?y3HgFp9u0mKU+kupp35zzq%_5PYB5-7aKOz_RU1@~XMF*X$^93z42q7PcsRA{)Xh z`1SfUG(v@w646#Ux?=&7!~B|n@}m*8YlqG(NFW?FVXz1hFHv(Bv>2g`BulukAqTE7 zskaEmJD z^o~7}2kH$ZXWIln=TP@Q0!L4vGHgJiy9EIW($z!K#mw;n{$;S3bfQ7Nr7NHX^7EaO z7QHw9B4i^H))bC9giK?8XAxX-_4JoJNSHi>4Dxi3ia1>>#Zc)*OQD3fJ!Qt}Gif}C zdwddJdVTx~-MwY!66WMNzDHxm@%qU%=a>Ii0|_t2V6GWY59jCG9bMXh;NOia$BamS zjBj{}3&MvDfBJyOmYRElt*Scd%n$qfdhW;e*bNUtUicD(R~q!M1|Qaox5QkvHx+z; zu0^bzEzOiNRvgd8QKK9}FOKFFIhX0Kg$U06WM(*#BVyu?PNx#g7$$IE4SN<|Ni4 z4)|g!I|M8vc#{bbvoY+sE%>6TmvG`8vxmEOA^^lb_8+W#Zzk;*mwqjFYyi~Z?yolj z{Q+LL7#9R}v=7wY)(=Zl*UQ%L>DRvX#p1#Phg+?7?S0<`WOw}sixV3Fe)wy?PJU_j zvi0Da{vH9d`(983-DU!Ckpj#>_B#CkF-3e&Aa1b$vk7}0KwP5%W)MQsfajucE9o8Z z{?h}22fp>%hY<_>Un&6}=59oRv7i>C{MW|2?EL>=+wXvx|7SEX``O=Mfb744ciHnd zxN9@fbDCt0dL0CT*iVPymVL4QXa9(!e5~HJV3lzH+4Ogu+V29G@xXW4fw=x}IsPxs zLE!&uFaLf0|8b%JOOXHKM7zZT&Nk?EfOd@roT1-k2jd#?J^AmPXDgTgk@1!_ldZc@ z&k5Zu>?q*>b9*p*fdA}4Gsj@}{r^L6|0S=5E1cCBw3i*Q_5Zll|GNqQmk|HW^@{a6 zAl_zzaFGJe{C_a3XT)~j|GU<}zp4M%*zwk^7_XrrZ|uyFuF^o+3BD&pyX^mO%n_h-z_7C>zmDC<^w^oAEmRTH+w@fJ13L&|DN!F1FgcayM-NV5 z=66Pd-=fRqSEhWpD7n;E4U_IBhM8vg@dUXPL(E6}kDZ(6`vU@SQ%p`r9C3Jo0dZJB zOx^eUEyX*pkN(pDVcEXmT8PLnyh`sL0>=6A@iiltw@-BB!_OioXOG~R{&I*k49^lK zS%iU?s`X>^!>j)e$2YI61TY9P00004Kvb}js)4a5&N@B-fM*f_0Qav~S;|Gv-iVsd z-b{~L#@5JQ&(X}r+JV~G#-3Wz#>9b|&6S$Z*4EO@;6G1LJJZ`UQM(!#7#h>KT3KFd zn%Vp=0{E`hnM*}=GXP9iXwj$SjJx{hOAUp??&dc{up7(G2$OKB#zJm(fALawZmpeO zM`W=_XzMSCxMrf{w4@;N@K)0zMpbQOoG7j17~I7tGRm|VCw@Z9fm^NZ62sAx%~PVR zl~AK^_E-LxK!^G$LYl_r;kzn~Q$KEOEn@oc{PU$JoGB96!2R)aWufY%N3T@~(GVAO zSaeDZx%-sr-qUUVhBkug`pj}WroTJVh+tv!F{Dec=U{ysLy4ukt?g{<(*9vim+tcC zchp`RrKrP^{BBdGGGdE@$Vx zI8N>X<^uf@+%$7=@leOqW-)AUscTLzmeJ}f{4c{N8f8L;cKFZB@q4=uX7F63GmU1! zBS-o6x}RkM4aU>+zfIFCFhZ1hL%!yG>hLBj<3E~(CR^oCI)u;>e4PA3v>ZO2U62gq z!)bp8JBlVNw!bh5Jb8(=1>lf7?hnIBy*ASuOp%*vDk?PDC1{)A= zwdrHb0SzP=(Ss7BGF+(4MAFpDu2+B6)BdzY0w+12W#0EQX4dzLW~QcHXLh&vWQB6e zVb7=N_JyIr3|X+F42GS2na4UAOdE+GuBe?jwy^g1bbtp89DKM3adZvakrsdHCCQv1 z&(od4Tt7OFpEFy$C`HZ4x9D&f(6(XUc;b zb0Wj+OCM8mT&NjMQn)An*RFor8GOUd?Eqfm#3G}f<35H{g)$-(oH7upkYrI7zc4p_ zUh`)P9c9AAU??67hLuwK0WU^~$?!9hhpNqA3eDMdM~oUlTkO)*WwOQhBpKp%eOP*x zSc)DjbA-(v<<{GKrG+%9XqB#|rMr~KK5(O@S5>{&5|K2TY=ky% zl<>}Be^vBcUG$%q3R9M{ykowHp$OPmSYYWDp+71NI_UbRMdvY}b*|%drWwV8h6Ore zsDn>)!G0*_V>_$D(8x0pD8xNhBh9CDnVWQBvR_FxO-p5iPHfwJv!2f5ScFE0<~0Le zt}ch+5mebtsb|LMjW}e!7sgF)Po(L3NAh-Z^_)LSgw;mW&F{LZ+{fohkwc<>*_pwA zO6UV-1ufW3KlWN9lJFHL7e?HJoNlrh%J8R{#YKn?w8rT* z^o!dVI`DEzfAzQSnU);>>tkXy>Wzrv0x!r2 z;Aj^!EDS%C131|g10aJv#J8UrBzD zCNL=!Iwh~i8cij>iDHxn60@Z;$FXqJPe0&&j)t526^MB36Bi)8;#%mY<2^xD&fxQN z>9{jOz!#K6I+=zez9PpCZ~j4WmWdrIJ6b1j-`|oFhbo1@r&Ql6WixJjydHxN02As4 z(0}dVuJku%DfG9p*@Xgbg6cI~5mtqv=xp}Mg^1+KVwC0cjS&~2PQH!iBDJ`%p8Zgu z8p^Z@K-OkAKz%SqH)1f4op&JNUFLgi0bdcCULEc zvRRaX>L+PY5zeYAL9U;2l6X^HqtujeM`ZNqw*OMlbrmz=1Zt zz-qMsW_ZAsuWbUGRHQ6}+3PLp=K_r*utpwi$hC8Hqz7$nX0hcKBy|KH#+W9RJz<6N z38~gS!Q#D?VC02|BU3G~=VYA4t|bptKut+`3Xj}d)3OI5)JtcZf*^Ae%C!L?fIHjC zaOU8bS?W#lJTu2qaqRIB8KegI=|DNX;+C=lVel7xN$sUQSNHI>&r^_(;n?KajC@ix z^>k5kNB!frqM&(}{{|!>tpUP8*lTsAy{=7eof$h@a+ss1R!j$ zX@AQt2)Ya+R!>JejR}TKjcmBk>geI6VZ?7ur+ONNm#(L9#Am6$4@jB%iHF4gnR3e` zk9&!(58Z?k*RDr!G04jpXBUr)&og`??l{``A+3FY(+^I!G8{w|kq8)wGBtC&Ya9t5FO2sL|19rsuQ^q%%VoEK`Db zwZNX$UZx3h7fGnQX}JMI@;2JM&*4I7$W2e)FBGv+7*>q3Rhw+mxaujF+8p?rgj6?* zLSYuQDM+&87}@B(w%QJzii|%$7k=*4*DZiY`a| zT6h_Pl?Hu4;D1b57S{r(SC|Dx*%6m17u$*h)||I~ugL!fx~AD)2(bq~R(B$6jCE67 zPmlTyvo?%L8P_IGw6q|23t2yoL`-U;<%`lF|C;z{iH@j6Z>20DVjIa1z`K9ts?3B9 zz`0y0YK4Ft19&%M+1T4*2BA((5WxhBJ2P z#mVD#lA8#}sYRH5VPf+^Z{)kO5*f%5Kwi|)kEjtGg4v}i&hE0y-O_7Lhdt0340Sn8 z)T~rw1l_Q~RuYqZ2IAkc7gRH{txjM^M^JHA!EBe9v8r4Us0CI4N0~5vR36H|z7~AQ zhx5Tmhekxfz^R)-AUtK2xrQ+EF3%4AVXR{Qa=Q8pqQ04Zd)uq?q>eFa^q}+19ARMl zT+T1FE}gcy+4*93d(xKFmLfU1q2cJR2j;bU;vd1 zHY1sQ>kEV32)%?V7yZbX87PtMKlNu)cRUm>m|T_~y~-{2u45VKyln0nLsvNh?V0y0 z)!q!QHmvjL9+*(Uf@a+#6)dqO1Pe2sDm=#+gt=#eVi?!?%wnym@4Bz=;Bwyfv1+Xd zuB-`d(V^U?qH+sdAPD+~7&OYZ^m{C=om0a}c<2P9`&V%8(nfmb>P>Or^wjT{5`cRw z8TvWLP{Ohlwr8X*y{?!T+>OtCU`dmE+xGL!03m`wsmaarVtDQdDmpKbS$zW9+L7wy zu!W;1k)5;T7BJ;q7Ozir<>zX6k20l^&T`zE$t?kLX>=yjsLztGRW=@xWU9;HbY=T< zHMcix)xEg6?KsEW{g{VMkff@zUcEii{^$Nv{{!{Bt{N&Svki6%tFY#!d{Z4od{)dS zkvw?d-fYlGpxl12EZ-&VPfJ^DmGrbaV9Ja7)!CQeS8~)(t2zg%DAs*>lmun&7>(xY z*j@cE)@=6)slTc!Xu}^Ibkm%k|Jl#Z`UJV^{*G1zQAHiHtW4jR_40-l#|+b$gS65w zWFvzy+M|2iY;l|t_QlI+(YnLf+~;(s(Y)9><|||F&gIlGXD#-ZKMAX=Zq0fEIXUOz zA;pFrjGQ$-uE14Tt{?EPMExJsV%7LzlPM#M2aDIxu?JI9$y< z<~sybDoITEKEB?Q3)dZuRfB$f*LB9R6*W;x!%`b|FaBaDGGu5Ch2gU~HR#I1UCul~ZO*DMtLM=_OdI9wg?MdU78ZF5sfEz3}*9qv| z0ez5ih{6o0torGF$0}}^Q1WSyCYpR#VZ$08&MZ6*kR*?LAP|PoRcT1mMKYsJM*8Du zk$I}L>*{3xng({+i}+k&bt7m4U0zrYw)Wy;kl}E`U0$+7fA>HazQauN2^YEx07I~Q zR$6FTlonvB96$fBDfx`P);JbCh9rC~z^Wwow}lYWcs60EVq4MB0PI1^@aql>P<$l; zJ0nyv%WRZcWzU^7oTVETBEabS{Pl0d;Wns0Aj6B$_aMEJ2q^KKNmR_rSJ#MaP}{%& z6b)>gPOHNn{_6nU%t~)+S@C?oOT@uE&m{r4X(#nYIyRZLljpbO`E!3SCLgvfJpmza|!CQ})7#mf=y9J1Iv zWM6%CNI|y0XRC;2$EU|iN~7PrDymLG9ufFmk!JtH{`2kXKao!h>E>@c|JvC;p*cSo zb-`8lEY@kBI1Iqu&2d&ALZ2kQY_mrf>sY2-%HL{hAElZO3Wc+inCB5F3FR!ZkX9%I z1E1!vNFC9t899wXNi1*^(h)3dHuiUVH+CJ=TrwAU2E1#led^qL?y^7L{Ma3*XH)DScZQ# z$15y@#}2zi!Xx|U+D!QVGHEU%V7*^PPO z2A8`t4YgT;B2GuiR4rT~4vBAkY}?ij%*T+?BRR!bVikFc=Jy#M%JNMHdC&~a#MmV# z7`fTxw$D$@PQ&ff(QPI8i52)WamEISRQXXUoqt{2xou#?5Em3I<7^6TDDN4mRgLTj z@A7aYH5gx>_-bO1pF4(tVE7jND~MXeXLo|G<*j zEsV@4n%?;qXZ7P3i{lpyi~Et6V?(qdJtWTEPG(V)E-Cuf?(nY$gqVf>?6N$S!|_`) zz{K%2A&{pW(aOcVNnQz)Fq%9+*?=?ABDQ-E{ z+A3=axJjnpb_b%5yrm~?wW+>t3PdO5^s@J5wuim%>+y$w_Rf^hadV5e`g0eYf25$~ z-$(%|pU6Af#ALF)%&_J3G--m%-()2gBwp2D$;ydU0n~~?d0sfKWRe7)7e3+*J9Og{ zP&w)*ak6)4`rKNgkafHzHhT*wfsgLg?*j=aD zDGd!#y67?r{qE9#=yY){U6);|i1PgnYB4jT>u#}zl=E; z0Fjg%c)`zBkq@|D!hwRXk>lc+ZWu0krJk&+nlBF>^C>8;3bc0hU0WJQET_yLUGAQG z9xsTk*!~j7AlV{R1~({;w&A@JS~I(+L`fhNPMCA9{2NSPrgJFt>Ma@hrPf1rxmQ@N z9%w~0SXTa^E-i4BXJ=f^bso?075?A>Qa#X|a!j4<2NB}_^WamHUI3loQwLp^sR0D= zcRb;I`)FfDv2bk4hd3(Ud_6+m>jLZxo&~)sqc~;AwB;Zr)Q?i7>W5r;yTky-$wb$1 zc2Xg_y=~h-DXA?Oad@|_S_EtaW@=LwE8ZTH1zjcW@PzqCa=7a72o>(TzV$oLg{($Z z;&Bzy(oS0il@^c+4?oQ{G>8m9%gCis%eI*W*YkBl^Mr5c#7l6XFkAM#Y|Egyqxpw; z5xwB)!mnUR5dl*m70y*8AN$`C*qYfIr+UBnP}&J@z`o>8PKQrQ0fK3>+Vgi@SjrfK zjkv^3K@GNmn4u-DnHF_eIpUig5od1|VYcr4KGHWr(_)=dl5E4fh(ECOMR1xyyfcCHfi}l`hF^KsrjUGO&Z6io?Nhg z$iz6*LmQ-+bjH^pl{kP`*P+{~7irv9*_FjFYndTXS%o5NB`Bm`oI8=&F&?pO*wm-8 zK`>u=i4JNk~CGhsJl=Z#mxw?woiVCdfM8(zh4`Xn= zbxX?{s`=`21HK;r{2EWXE`&yJBuvKfP7ROPiGIkYc>08N_B_dR-L%w6!lT#;C@b$@ zYws`Po3Aa~hwbf!-l@V+Zr1I%N(SYbI3Z;3rBpmycE+KGnY6g=fhQ-a8846uP;E3P zr{I^Kbk?iggY)gynuKe7=_Uo`X@0Xc4&ov*7!#%%ZOMPAV3`-vzic9-N_ z6qbt2<_4c4)?Bny<9F`m61;sSTA&@J*kD{Ve*qON*c$(8?#KM|XHCFjL|#M3lz8e> zpz-5R(B`3+VmBkkOy-@?g=wXj$ZD}%;J|nF4m>4~gi*(r>#(KiJ7?HKs5g?wa;lS` z9(35so6n(r6lOG(w9VILEHvMDJspQos-_`>NN=7*Pq7u-bRZEhf$Tm#Z`ZvXW~(G; zbQ6lp{o|sbTtfq3G8I^e8w`UFo5cJ(sP8l%Z{DltGgDU&v zn)?S8aT8Lp2}CihLVO+|@V#C*oyh%cb%*&ob zg7=y!nle2(tZR0@@CV|{MDw3Gzj-dkLEKH5ea+L$_l2Q>462mbvQPGNjdnxQItHIe zK(pA!1>UIPd6BiZRxVtI+q_^uWQHN@acizYNglZP(JDaM2-i%1o!2Bsm8Y=3rpMdM za!vX9XgxDc6nX^FeOY3+-;cQ+LFj=1(FS$lim zK^?f4SUo?)K>>1b518BhL_Ecrrzy~gf%D~*B-CSF94q{fv_tX7;Fn4(e_or>x4NxO za6mm2f!m`D#&?PNDc%>%$mqbYG&P(GBmQ zl$pHW266QdQgYVzmOk(^Z1@SfnU-W0p+G1lqh6U^Ty7qgE`y3aD!dq2+G^;yCJql2 z=Yo{JY2Z{Zh{o=sgfR@sq;1H6lqU4n>qU@g?AR0iLlKE*MxCsLD)^`gUSc_5Iw0#5 z3E?E7DK;b}OxGm%{Ay&ARPZrJ&cC*qvK&p^7|UvTmCXqvrMPu)2}wk1BgnQlDKNwS zu_UNyJhDo3ZJ0^nV}}S~a*fDU=xn(TC)m+LcPBKn_`G~_0J#DOmRshT`8D~PdAZa< zyA9k_F1mW+Acmh767sa*+Y*tLFN-l<$L{-LbCiq-{O*Q==pP|`NF@R(cQNiV(u z`B`jW5>(72o*4WrLbJKQ@J;gTQ6vK1M$t<)HZPjWixGG4`kmX$u3H{IAJ~LIRd8@v z2)ETT4Yd~%%D2|=h7+<7riFurbt(sbTsn!)no~i=r14%COa)3IokS<8dj9Ihae31Q&^v1&+$8z(`Hau>D{*{`hvuv!j=B8!LYlTX!J z#Ct*EweR_@IToMPbiISefRLfPz}(|WBVfc<>)XA744oAbg^Y=9SUSgw63*SxJt0Wb zeu7-VrD^@;mnF)iFoyP!FQIvUN<43*_$)Y@gvvLkLJu54>{aL_rq5=t?ez)%p5oVs zoU+=t?`!_K3WkOZmt>;E`h>-{3IavqrnhbUb6o1I{`rTcE7$<|5+b&nFd?(op&6p{ z(JA@EQmUj~ImtM%;u>-TnXx#{h9JfrhD;1Uh`VeKQVR@BB5Xmx|DimUEwwl28tVn4 z>LqGj&qvQR3x**jvbXE4(#M1l9nSGj*$+(q7qa^O*-7q`^nCvYt;5O zA3{1k!1xxuiMlZS^m=U9fjgADJS_Ujn#(qYiUJvRNWzAx6WJ9hq@eEAQSVO=-@#yj zuFAuaCB^4H|H2svW;XihSj>vR^I+Okk;KZ31vB$WnaiamksOe`XydLzTde#kTTr|m z8o=MBP|yp_IJhmfY6n|S$y0wGqPht4UH{7>$D-yL3L_nUG{KNAKGyr%;tpbbhd*HR zk@NIcolK7~jMcV0>PV-XS1+Y6jV`7x@vo^xgwTj3#5A(&o<$$nd052`ViftT6sANJaOg7>9Z%ymfzCuzu<|Je zqdjEH13s%tNoi^nQHe4+f0U>aw_|-Oyu#$E7>{+0+9KHVLz0|IA65^G@cGxAOqMpd zqy*pA2%sr@9#JlUl9K zyvVO|5OXt5n=C2Iq!e~l#dHhCQLvM!BS^imKj!RnzuW>gPYamGNYgsW*e-YI1mDq6r1XdLo@oijI=sc!()ud=k2>Hie3d< z4ZMer( z!CG<3rW-i`qQ4-+Kc%Qqrw~>)I~Yi~?-oHvP$wD_gUr*fX4@x7ysyi?A~Gh;hsm=s z(K7Nwa+qTKbvbO8gUn77E>$ND9uRgnf%Dr?=~@sbx4@Gn{e&uc9+nTuH*b ztXNxi7~mnpTk#=L0H`S)d_K9Me36YN!m^5ECI!cckZ~fs^jmoo{TV_rRL@}dMukq#t zRD-`_Ov8EJ=~TC;Uad>c%%TZ&20}|FpVBUG(~AjNq0*PpHPS9h=X{bBYYFj^12x)` z+5VP`sRK@(Sq?7R?6*yrGi1e(%7-N3<7xn}%W;vYY7Am?#|v;JSus5EAE*hUzZ9ZY zu!Hw77i2{tnX~6}jE3F6W=*e3ObWAYuj5Z4kylg1v=g{pt(s~qw^X!`NZL4V+IY6B8-B>Z;O)jsN;?<07pRExnev2u6LD$~q6L0~m zlhUS(`>@yavafxM9yv6=uG&019u9(!##A{R>h}#=puxQvdl9VSqq3T_{i`ysm|n;- zxai{WvEV=xfw56V(67>pQYq_@cI$sflvj}-RJRWPXP`GhoM@BCNW#n^`S4a-&y=$= zea!9ZNS9crE>j0G*j0558iaB}Fxk&xfKFzUk}L!j)G>3h(4d%s)mnKt+*p|E zzibz@K91KGQ$aR6Xk`{-f1pnAQne}^Fd;cjb4h62*nf{8z$wFF!nNtVUgrN`>>Q$V zQKD@f+qSWzKX!I(+qP}nwy|T|wr$(ClY3t8joZ4tYS*Y5YgVl_zX^G&U22>R%uL<* z15FWbkSKkzuuh|JEU1!Pj^lbRc)k#Itzj0QN@tIjjR)e3AcIF4v5=e`wG7nB|M-ey zIZieN92LFFrl#35s-{tl5<1j$E{^bEDbYYvVp>!qnu2BCrW+-yD-K5_M4yZ-t7?vQ zpswgNhnpN_tcR*qr8~tM*2`%txd)lJv~DJzi@EFi7snTYVmN~--T8OM&$wXpWT zZoP)L)myowB?y|gDiqG7d5V^wQz(Sqeo?zwYjLN^70KEu+RH*4O|mGIN0S$C%U+d3 zWRhe5KG5|@Ck4Q%e37~4`a-eXu=^+Wo^@8P>(?&fWMrzHp{^r=S;PO{_4{Q%>9Edg zdi-Rrdh7fEi3Pay)wTr!qB3Kyk6a|1tikW;XdL?A$s41HOl!|}&bU;o1fN0YlO~m_18BzMJMwlKaZ&dc_l>D5Ekp24dH-DgQk2?vN~6Hbkru$f`T;Cswg`w z^3s@`X!u{S&t&QD57+n0FevuTbFL0OQY(@ulK3Sj3YZK8xy4IP(6@HulFrhdx&FlM=ot!Pqs z^-&bX7zJYHzONg=r1dd|hn&p|2b9o$6tHyXk~8`6f*F$TxQGsr1;=?fpt!%(khmh= zPVlD4BG2E4MBD2&U&5MwWE;Z|(4P$P%F$aqr3s_k-nC{xau>Ye5QG9BCbVLm3v`0x zXzlM{4}nB1Wj98HTql<0*}cKT+=$VPMqKGP=Gbo@48H=GK@>A8D7=(NC2wVnM;;O; zZzV-X&MziVBOTZemD#6El@s7Y4av?PE$-nR=6-(nQVcuHeu0aV{W&ik+|sAoPlH8e;UdA3`60Hip)~)R2S6M6B*p8 zREG&PG>}Z?BUS=Mvj0B4wuLQP6*|Flm$mtjp%VJu#>u$X23A{m0MZcj$_WND_$k`} zSsIv3f%@SHzo`k0plp_XeiNc{4o$xr)aP!+@VSSxC4WsofGoQm?F&C;Ao$w(HS1}0 z;+kYz%1Sr^e%&D~$sTC?aXRV(YvP;@dVw^hoP#oNMi!uaftKt)>mxcCsEDhptY`l>+cVsZ`Jg7`y$I?db~$x*H5$W@$yg+D z2QhgOs-KP)<}_HVat9sNOkZHn1;49*s)3~Jn2kx0T!>^&?D>iU$7b;5jJ&6s%HGv( zr_c*J*sl$dyW4L7k^9qGqyOG^T#$a|L7gn%Uy%Swf)M0?2~@JOdP!f50SRq61U2p& z-Z0ufON~Fg`rCH#F28c9wlq+?-#}1^-NB;yelQe-w>uHzet5Ud-5oif29ENdLh0UJ zpBaqppu0nIEf3-hdkH`}F#Jr&bIX)Kw@DD3?L9g9t`}_1;UZ2)r>_Beqe*3OCNZfB zhF$+@=hClX*cP_va6hb4J4Yo4Pjf)$0OlLD!Jf2%K zUu}$y29NZJ_}((9ergTDy;px}HDcZP=rlUSe>Da^q*WarybK=76cd816ZF4JPfN|N zzMlTeYU(}XG{(fA& zQC?gftWTQB0do34LHg{rkwKU4$i0v09Csfd7u5t>TG5EY0DB3lcBcxp9Ns^zB_XG& z>hzYpzmY3>H%^GhCFKbub<;io7rM+-m|}z4*Ke#*+G)h!HPiK-?db*w)E+Uun_YUw zpbbLFslx8r>~x)!kJHwXGS^!cO~G?sAqTyWG;t0&oP>_VZb#Aq^w=fF0elJXZ`-2V z@**NxyNC@nq0}$xCsKwbpUoyftKADGKW&Nz1?s6ZlhX~wWQi<(o2y`=)SA_pKcl;( z4A4ciAI0=(G*d?t`Ot$nE3jn(&JBfDpGJ-kG~ABW0y5or6zxV^@KqjnRricayvYon{4 zgvBvSw&1dnm6D^De!xyoJBg_crM)lT3ja_kJ!sgb)G?|wL@nc}{zk`iQ=q(3S{<=; z(-bWO9Z={z>QI0f*cq^ePBH?|7cgno>Rsw`2OxHs#O~DkB6s6fzE&tSYGDny1>SuS zvbb5iv*F6c<;HC#yS8mvwv!aqN9O;V(LJFc>iyjU*6o# z+0K?uPKl0%;eW~gD{UL6L$<`98@&J}M-Q6I@9Br=oMvOI6_uo^@cz@Hg?hQRET_+{Zk6&|W6G5rToui@)tT`L zgpkylc+0+RnJb8vy9B)@DlR$ILgi_SrX*UF4`r$2omC#CgPH0jj=svBU0i;T#BpD9 ziyZ=oy9Br01VLMl$Hl84EF?ZyZ(_|RspMhPrirBnq_UXPeRdP_HO9&3rk(S)D_0xb z)se%kt*tSe0Q%b|&Fd3CpVyZKy@?bxwS<|jv9ueiJoiSq{nHUilky`-A$rZD9YHqk zCb`d8lNK1a?&7~VF_}D~MdWz~-Kt@k?OwQ_x+4uPcyz^n_|!S) zqQQK)QEw$4r=R`Vu7In5XB2LwU=L`u-4{W;T{sDIA4{2kEI;G|t6M4wi36_nG zL!R5dS7Kj--D3_X9qB;m2m4(#b9B3x%iS2Ti*|Utwpkv#Sd=vW#Q8<_2aRmACB5Y= zDQSx%cF;9r*g2w)t;z@`m_sUlmP>}O++UhLvuDN}NWUi@CyhH7U*31+TD3R7Q`F{^ zIwUWv>4v6so+zCc6XxVjqM4Fb>(nQQ3;Z&So5de1mP|WJk9u54J(@SVr~1hV%89r% zD4FtvqzYTo3{_*_BvY>=FP;k~XtULpjGkj?(VT?H)5`6}A(B!&h<9ye9 zlh2Cxy`tocx81jOzUIp^Q|b!mW6rAin%gvU-uB&b?pw6aZjntXs&je!>-p@{y;?Dd zuzB5rn#Q?48O8qWmd3Jt?Q&ta^Ei8L+v@n=gCHU7#G3wA0af#$n_7!-dEl*u!nRnG zmibMR!AehM-|=xDK9xpVhpt#@cJ0ir3CXjXxgDia+l(Z4_R`=Ad|(nZB|`bb0mmG; zIWmM2g!NQuW{X+=D+Nv;ey%HJjDK5picG@5I2lqAAbn;5|y@ zn zo}yF93n7IIL9;b_=Yr+k-E{0^=Aa8{I}S(Y9NAi~MVseHGp_3xGta?;3{|hkzsJng zJ10~BnXVSvS#Am8;N`mICtvGTGddDBV%XdeAJ1ML_pjBx?cP{koM1+si&)r7Rl0n= zLLqtwvoJ;=F`eC_btL&HxjiAX#0yZ5{Hbg)XTMegUmZkw2VrN`IJT?2*M(5kq*5Sm zyIHjKh8@&v{PeqyJV1n`4(&&6TTB5(vUMV?O2k<7E4Ku^eD!i^+13c#QC!x=*1W3c zlXV@r<7f(htp_$NN0Y`m%O?d00b#3{aI1}IVd*J&i6aL7!+bI%mtU#ERB;z(@2OJf9Kfb)!$n7rNJ*p1bF;(7q6bnu4i3c``m8NjpK}lzz^VyZs z>`K!qY~1baglHR(syAUgAc%)%qnnC9zDW=&;5+jmk85#Up*t^Jy9ycJsUu@ydKp>{ zN%1`Z2r$O%Yz9#V8PSJ)Aua9br7ZP^_55J^lcHynzPQFCh3n`Scn;=0@JJePJRW!u z_`OY8cV-2}QIQx#u$mwRYr_CtwwlL)e`kj*3keTn|yQbxR&nAWu|7Usmp<8<$yn48oddjIizIe)S#1y$5 zl*~^SDkQ>So|8*DG=8=Vpg@DwO&0osx~T=KWmIm?nfiA z%PnI6WXKlO_+e5=!Tu>C@1y9K%6vOen}yOvTcgCX@MqtjkH%YCF}OpOw{(KDnZqLx zgeXU7f|sM#K;ueFJ89D*p6(K}_%vqhW`Q{GB=Afr(G*U?_r?M}c{g zDKcIx>?1-xe@{o3H5T|RVGsb7qKE$@6ns4LIQ1ngH?7ifFvX}fz*2`fkQ|>GfNz*9 z))QgDAM*+k;&CT%A#CFCvn1Iw#UCW^n4Z)$M46zf@71q}GU!#6;gLgWjB9H` z#Sj_eK;(h!XpVS?$5y%5pbeGMBXq$`<}ENtK0VASxJs3sn1H3JNs$Y$rdJ+neWfOL zH}J{CTrL)zcO&B?14Q7!s0Z9Qx7fOaql=y)kPd0e$B-b>e;c!~S=*k98;U`h9&wta6CX1%yw|;o;13H! zNpgh<9Ps%7PIRnh5P!vJRimJR)1>%!qSPEq)We@T5*rNqw0V#va(pT>K@HOV`A`nG z|L8}}4=bt;Ezs=DZX?!t(7F zdczv>HSo-)MKWi(zRU*m=wDviifpnGrtSJPz{bI8psElQbTV0{10~=Si3Pw6p!{+f zD&F)*6yflFWc^6yfCS=oI?;cq^)K>p8NqCU;<=!Nr!#I6QbSX}Kg)DNR|{RMh06k9 z=cH9e1LvE?)--<&rf|>@a|uQPj*ID*^`(rID8AWMS9*ZGar#v4SSCZGg`8up}jw_>)x-cd+Osq=~W}WWg2ENlqz^LuO~@Xy3?* z4E7kv>+>SO)eS8KRAz7D_2f|k_maY}PiC`;USHxTmBsB(&XVL#m<#kABAX3;VuGG( zSc<7vG~Zt|`yHwM#?d+U@RyOua_)ft3hK}V$5pF{{6Ze_K_Z^;

l*Z2D^dINe3O z&-Rxd@zENE%U)_3pQ&QsLP-N5V@2R*!?uO}!qMhabCqW6inApi^a012!LjBlRsQyq zpuK)1<`u)Cj&R_HGb+&(>dry*2rkHSs@F%r5Op_H;@5||_Znp}xByY>w^>^}IfSep znUEMq6MRgm*-e@B+{)@-=;T$L^yG6f@tsf2k{P~2t2=0s<*GSRxo1GOp$3uD1?&VGag@fX?ZMi zjw@^ZT%cWf=o7UB#|M!-W2|9TObyM=_ZnTjCW?-wLC-^~V)z4u#f0@&Jrv(Lis`EE zkpm0FG7n4$qR?y*3H4}9T$%q^U6JxDWREbi7C`^|!HQ)x8>^I?B--*R9}Z=p!Ut-j zz22JfX02;+{y5B&_VvUh%M8lW*AOWY613HNhFXF~ghy&QqP;Oi3h0fm7t@UeN~`b_ zkSGJf5K|s?q6)6;VTko72B~%YIoz>BZd0PCU1eM|s%Gb-n8Fm9B4_H!NJgG=%bkw` z=Ktp(S#*l5a>LQOiPxf+w6N`3Ubwh z-2_@i^72xd@36=t+k=_c9Q6kij@BXyXEQ$4s#C~rh$W6(ck5!}M3cFXXko99Qv`+*Ij+D0RdEI7{^8&ds)>jIHlz^L(0rD2TXW0Zpt>z-x)3GcuA1K?NPCaA%LEdh z(Xu($Gi|2q(pLz${-@I!l_w?(#@0A3UMwM_x+P-n8FP&}`w&v0_v0D1?M@Aj;8OAm z3En_N36(bgAP9t|j4=gbrrj6F$)o4ZjM_r^yW4?V_*&)CMpyi!;OBK4Y4PQ5j$HN&n;0j!XtCq zps+fvBS^+rqpK^>b%KsE!HVErbD+^v(} zknQOm$kK7tLdv`yevIN(jJw3EHPpsPMW9r+XOi>IILch0YknEitV1SU)EBy)t5<1s zt}5q?x#NBDBq@SLSrSf<^bCfA*um|0B+vA-H#7jRz23wa5hFs$X4kNyR~q*Fm;oVs zbUog)mevw>a zSGn#RiESw*JE0R%0eEb!2IFX07iu^*B-W z>YM(>4m)HCUt9xXKp&oI19CE7X2V>ubAHg_)ylTX{*FT`ELA2mI;%!PB=)u0c+Gv^ zDYgBb@tndcQr=`b#nWXF+2EuhU#1D<{Xk>GRVW^ zZ8oUo_={qSN(kn)j%m#0g6_hlJK7E&2ctLB(Bj&xvssf-@U!x|BDSaOC+Y%o&c-p#1JTs7w3l&uB&GMQLi8!!V=QU2A$x)#{4OvYl6+f{Xt zY6j=uhS9dy2)C>5)7^TlbjmV-wE5r)*sF7~%*(HY(UXdKLQfzUuAbjK*RC>>B>iPEFKh|yZb(k6|skH6zlvjl?DN(xMxtnIKfsqod z5j8t0oP+6M#6yH~ba+Q8giiIxahZ1s+6YmV4zsOQSac5E?!r>5%k&hVQC$wwq7EKk zg~xvgHg5g1{YVc7qT`MVWAn%CjoKm6ALXl4E$|tsdbR?UwKed0^sUSEWncGYU5mbk z+l^*+m7^oE?X6qM0!37|o`Pb!AkhOMm>mg`Yu5fQrpkKqPB+hcc#r32%!>fBQnXVJBuCTmxC1Vx&4aWJddLbo;UtdwV!7B5 z(H7qh*+0CBW^B8BYB=K4SbqIP#7tv>p9<4IxSr?Fn>nIcvbBs{XSq$CrHeO3y99CE zhrXSgnJpubL5qv`O)j3U3%r~e2#`Vd7G4_!(P5C?E6yC5*)Fpk-#caO=P_c17QM@P z(V|JNy~{W)vmc;yR(S}eX4e+AyO)TvpM?Te3t4btrId&LMeG;R2qV=q61}^8=1-&e z(b>)1rQJ8i3w)ed2qi%Vulej}*}2a%B}uY&OZYi2BWB$}{YTC`SJEYii)d__C#OJ;wF1)qggvBex!d{tZ&F z97N|F%G>$2SMdA1`DA~dtc-H{V(oT+)%iC5x*275j9+7ZXS#tTu4u_V`$sFH`^HPO zpn)~Wxn3zsW%=w$(0)r~%%79z|GY#k20!oZO3i#C=dK(e4Gfx{qm-pNut^?M@Pdl! z#8#VK-<}wixnD`arbqu1mh(us=rCQhpYjX1c%(a^R>Vg8A*>arP)GpX+}E-4nAX1j zzTMf`y%P`M-G4a4=WweJ-s?%$TS!Y9ncr;W=M8ECUpJG4hg`C_7T`XQcwm+$RlH26 zL2;>D_=-Y+CZl}6iB>{cybW5UYRZrNx=Om)Wa@aINZLh=`Q}^(wBaIJy9(wD-LZ?OBT6`(U#%V(EiCUf=TfAceK9D(>zo-@)zTJ+tm-WGiF6_hj= zX+&dp?qH#@g|jSczdA=9;I=&KEn!uU*3WbV+eVtjEHhpAVF?Y z9%J$-rW~_$;d_zc6R}x)J@s$c*Ph$ix}z3e_Nl#cw-0QE|yHeS8$! z%AbksXQ^x6;bStNmJ=<3w;6jAh9VzypXguY0RmQC2b{>_txlO=>DUJKo$-B4JzI=w zB+@`JAyeABH+jG)D3-@g*Io%uLs>p-TLrJbSKT&Fo8pOdU+*7k`t94RFVW%&OP!Q> z4%;oATJ_g0d8vQBC|z68k)RdZD1Z_8C0DF({rnz`P0?Y9{s8CGdUY@&A7V)4%d3=4 zB&E<(u2c5Eu;h{w<%5|#(slYhbma3qQRrf7Y*=qScaYXT+8p_O?ytAwyH7X&7iKU={HnqeU^1rgH!mUJ?1DN?G#MvANfqB5lq+&Pr77Y-h zhYvRSZT8%9?4p*p-we;g64b+|AIq6#2?sQYBxJvq$FgMx+W$a=Z<-_5h_qcmwL*Gk z;6RCK)gcc=toMgeTOZ+IFvGg^cMtaT<$}7KxSxJ~EeFR){wV|f3y9}W^}CFUm>IJR zEr~TFb@>&}>Le3hiaGi_8p}sm`ojq(a1Wf`wS{_Bl){1%eN&oof48S^-{2!8@x6o9 z#v(WmnqZ?Jx6sZVtW|*~bf45*tNo!Spv#y6bVo>={$gxrwBaIZ&v~W>S5myv5}?`f z%T~5+|E5c46i*$qMx0sv_Z`HJ?Kv4fHj8G3cIm5}tp)Cl*xpy^S*lPdkMFx{X;`s*ykrT!4XlpYhuB0QsOEd zcqOOCx%be5zwL@%T^^{HfmDR)w8;?}5mLJ2u?vmky9{WYNruvE76AS2cu$*XRRYbD z=%0Oq%EVS`50w<}HaGRfGv@|3wdYzo!2LfctLEPayg6W{-qXzaNu(`Kd*TQA%mpPm^7nF6`%1EF6(zL%{ zNzq*c)?XG$8{NDHvkmQa8Q)(jqs6M^`~J#kEt99+`~h5TLacxY5sAcR!+p+Wuo}n( zjX`}MV7Y5V(6;r#3}Rf^ic9Ke9RjYVVc9(uJ*~TbHn~K2QVvQ znd~!S9D9Y5Mo8h0g2;}rr46o24Hep-eH_Up>Yi6*3kN{?+Zm^ zIvSbGN2rD2(IGUifYp%35-MsED1PA5UB*BGw3L7l_Js#+mCZotG673(Sg!le>?i3nG=}BotvwkmM9o#KEHSLyE|p^k8ri-0#F zPz?10nxatA^-H|ShE^=bX-52Gu2)b8Lkz$%1m`Oiz;XAtKG|{9*AD*FiiNX~QtkcL<5+!(Cq~)_<;9_7nI;9mB}>=V72b%9 z<#u`8Gx=ynSC69yjK3GRFixb8Y02(~mqzrq!HLZ@VrVeN~`(_T%PIZji%&4uB8Y-M>;v(pRc4!I17mDI-7z8j2-oFBgmd7ShnmeZ*e zOI|j<-_QFeAbj-|RhUgGb}iaCb+z#L0GbZ@^i@Adnbew%r0Jp-g?~#zeC{lurDILF zN*wz}l^m4Tp5b<3Q^&@NTuLIBw;Y`vvKQOf1zT4vF9cQVw&uCSl(;ij4=YRN2D}wM z)DM1$1SpA0;SAk-|Bystis$RPBi%yK(G&b}3~ZpkTC&v668EovOKe(aA?l~u*AR_s z%Frr#UKyLOkXT+W`VPtzjqSF91}1K^(qgqwa^rjz+kRRgbVY<1%(+^;+pDWNdGcbh z*N>H4!pSV*E&S2-s|?5W zJyTRvTv;IglY5S1gA{pY4(&g*{6N#(oG5Wz8WU;uI;QL_Gv}aq0vp_pSzedp4T%kQ7?IUXg3hIW3LcFO5)&b6=djwf7m0&>H5YNY9C)PvfIn@2xPl2008r=?gm!NP`UmH{LS8? zAx78*@8hVtjW(@KQXH&L)PHkkh3F84iRFvL*zlP~;Ro!h`^9NfGa`CmFiUb|hPPP0 zJ=?J68o;Zs09U0ZGf!CJupJ_bA82!Q`z6hW02ojxv8H4NqhpI2=<*~>>Sc>DPk<*a z&ADYdY*8R2Dvo0_d?(H|Vi#11YaYhr+SlBLcJ+*k&glj&oYlED7$nMqlp2-q>+O&<_B z-En3Vp%8g*7@0~HZ%KJh+KB&*z*R0@sOXQ)wiabraJN{E?k+@kX~Iu~<_4pK)2h|9 zGxtTB7+9K{lCazaZ1V%^$4sGA%|hpuP=hf1@%=J_^r+JqYH zpaB&u?MIa+iNRqQss#di%!PUNX=KL}{8n_gaP<^`!@XeRuv1~nM&$IEbElrl?yfQJ5R?}_+c^z+i$BK<9_-u)C>8%I3&Wrgyz~cSa2fZ$lYSoD+ z8K*utu5$^MgNI|{<>y}ZChhPlEw!>;WvGJ2@RRa6S}zzP2Cbf!I3dS|f~H=XZ;->u zB4Tbn76Ilx@?zkV$X8UYq`pieb|vxFVP-r_UAS@3yf+@VHvfe)usoxt6tY{8jqKdB zk_9=Bh#&zl5@MIi0F2Qyp;u@)@l6f?6>Pfx4MU7CaD$s@HAO97VN&y4(a@p6Ca*~n zCmGsok_9=;)_P;oBa*Y`Wuvq^)!jl>`=Xo0Vr8_c`pH=lvET%b_6Cn#KKvqC{zuuC zL1H@y4YqWT*lEj4k0tzF zD6f_(6U3Y-K_qvzC7VnNErX+h(efa%+NR>J@M_C(jrcD8egy$O;*6G7l4 zoAn1<%hgSPg`y>SGfn2=^u5V3v+hAy_w{l*TJM7umzChBlt?!G4SFi1*1$tPCvDcS zc4n^_GnXpu;}4y|gj0x-nGqLLB_Zl*LFOK7#VS?ds%W(q=aGX-9 z52_+%&hw9^|F*Wn@iaSA@j>FdjR5L|%g&uVrlr@;r}`t}a431g%ef?+(@5N;T;kLc zyi#U}ONO-AoC0m$X11-v$K(D}K8)-x#%zDty*yIja_t2qCR-9Tq4AFNU!nWsp92q zc2DORgghewQdk!Bc)wt0tlCVne0Hm? zpfiW9WJ7JV71txzJ@Ok4E&UAZ-&>Z|laLc{PDcLJr7(;El(1Xqu&*g{A?`YdB`R(Y z^W_A^y7a1|5-a{qC}qnBVJe0Jt$&wGY%LLN&*x!o z$)lXmsW|wL{Z4!xvrkk(Ok3Yo;F%)|GUll)(uf<;iCfsu;P<*<^oQ=$3w6~oI ztl?tM2u-Pey+GMH{`K;WVJu4gq+R72?B~*Y*vmsTj}7d}A#CftAY9W21sPPjG--;N zR2$W)G2^(}ul<24v`0~GC*NdwjapBB+n?08Ke1p}6;yo|Awe4n_!FUGIby&+8;<{X zB9-Nlh=F}=idkB4bRzLbfIJ=7dYqZ3EywIFR$n&4FdLlr(XKtfzD1p3>nH*1uMe)^ zn9JdX(Y_ly$}(mJw;B`t+|v-^J>ZcF3xrF&)__EXeTC^%`glVJ1InSH=qT<(6RKH_-FsQ{8^|9B5z-ll2nv8g`D;=)H zsHHwsA)F^-y|a`LVOloEx!&+m__n9jI)o)oF_k@T_+iOQVxzp?zo%vl1WH~_*l+PQ z)leqWRuF`27o+thvoyn%3#JFb{**r zUp~BVOzB;KnmdD_C0OQg*W!$*8B?Cf*1VH+np+wcsqjGVMZ%leYI-%Q#? zD{#?&bo@^Gw=#)>e1WO`s(B8wBpoMyknU`?GNT2pNL?B}HtX^*pq*`0#R4~Cr8k1y zNc*b|_;A_OuiNtAubTq+@ZK5?TqPOK7PQ-mpUe(FKLqRfz6(E(9EGi>kt1$wqs6n@ z@Wl2HnBp7GqEc(?kFBiVacnNDEf*`;QdF`wykp3wT9s{dBhPB8C(e9w35$qqGh$DE zA!mzD=lUIbg!B+YM@{q&FXox{X=FoRSBu!Mk*CJ1x0g6OJBc`y72 zj+d*Gin-%-`*fPt+vWTCar#Q{%jM_r(we8on@QHcdma{KN?wjZC~&s?m-~Bv6!Eqv z5vlqMBQ4<+tPD9*f$%(|y`6)$3PzoaX#oL? zNt53SxSA;+{)6&c(_eJ+(UxDTRYokaNm2eOS|R*n%l3+G^z5de+C6oWj5%q|bf=m% zM^ca9~Ai$TS(v;o4cizxUy0I@P5f8{FF%_I32=HxZ7J5LBTG8f25`_-PF+0uOZl4b|t zVuv72{Yqx2NLb;MgCUe?$&3?S#)uU%CZ0d+b}w2cc8HepYT!rzDy1s#yT)hf603SzR^bE}=EWM+`B~xg)d1o3 z)FhJd?joqwJJt)+ZxB`XsQTK?)7gZzQ#dtq#OOc?W$=s)g?Of=69*3@Pe`d-`n7&KaAsc_T&TxZYi4K-fQV0DC@m_r9E1|8% zqJsNUY3;trJ(5b7B}-x!E{Y9jUa9jM3Hk(E*jS<$2@&9lEgCD=)D>=-ZMu03TIp@s{kkqYdoDFaK;@0s zpSaTp_%@?<35X#UNg$Jk;Vx(+U^ss8CB4m}lppNUsr|IT)AkVLCK*N;h|=+~5nw9O zD;o@0jp_dN79=#s_G-$icQkr*2#@=HU%CX?VXy$U1S11qv(iS!AI|moy|AMJ5{O^9 z>@05kE69Hzd-_Fkdh>5*xp#T$!MeAxStm#G5%dmRa$SE&Vwl6ds;0h4sHDCbrG<_c>$ zr^_N;Chxe3KUjaK;uG?avbmQ|*5E;sEsVC%Mvf&ojB??mN-Kc2rn?Z^+mI!Q7S2a* z|8XQ)pjNT63D(G^Vr4<$d48a3RV~V(TA%NI38Va^3=?+*8RIRi*iFVVys}b ziPv-XGZI$o=$4u6HVeadwGh=v*s!51Pd6lOuEs|vR#gQ7+5B4d`ZkZIqs%boATMP| z$u=Z@MQMHm|{dQ$P1wA=F@g|p1NBT)$% z$n_vD-y4S}J~u#`h4a0x{O|f$0kVhOJkXGkNP+TbnP>|MvHNc%L^v z7uNJj`iM_k895xOioE8!>4M(so?$!syH7SP4m@!>QxY zieT{3_ju<9zHw*9ny>lx?djdC^EuiN+~`lny$wF}b^m+b&z?01JjtoaL|YDw0R>_9 zHz$y|?GMLdPytkS2YHICeBPm?dHll)ge#AC^ANq?>R!mB zliL;z9as;&-SfsDXY+FRV|e=aUb45O*gVJJAbdW?i5tq$!60Io)w~`HckHmKM5hn< zAWyk|L4KG|mK;E{%xcjmMz-I$8KL#>f(XljfLTa<~+zaqQma`<~*TvZt zT)9sJ`%9IoBD<)p?T|d2{owD~M?=%7&hiN!Fr+Nx_lI%Ih$?Vn!Vj`s&z;u-Lp7X* z%U9GK*N+7~pw`DmWB_MS(k|*QSp%kcH_M5n@1<1o9eg^|sT4kh1*QTE{q9>S7(2s=MnwIvBTadEeYbR!J z*YDl_)AHlsp1pemJJ(h28)n${chX+bvnRDev^_)ZO(@F>a4@fHi zsP*Y=mek2yX+$3*&8!44!tLzM=P_{PS(WNc@bO1nhT`;Pi-Wga(hYvAQ39qXGBW^;SI@SR89L+Q1vTD)4HP@o*I44i8-F7yAOkx=F0#IMIZf zGZ%@8&sAiy7WOHuv(T{Wg;i=Fm6VfFA4}7tSy39c0Lxo7Se`jAkaZFW zppQ3Y^YpLvX+DOzfwsE91tKfUsu=MlBYAMuneWnS-&RjA!i>Zg*;U6T4!0K9EEQ{{c=rOB9Oro~p6L!EyS0+0!Bg1Yz5JT(WZb5fK z4o`SC#=W>)#nN#!j{mJkegD&55C-t&#_Zw2Dl^+v@eoj77^ez+4P;!{ayt6sZbV{D zxH$es017Dhf7&FmS9Bda4w+CIwMc(9PuBAWuU~m?ZB9D-`{Ye|x|^g1-`cN@((0qL zjO0ALtgN(Yrk(Ia$s3LTihCN$DLh9s`V6g6g^EgnM$Zu>{*c<$OUm;AL{PRq*OJZI zosN{VB;4eePff4UOG<1CP)>q4Y5o9X!C*?HL+J3@d3i|Q>39s)xKwjn4{sfNATiJp zoeKlg5Nweek&-n3!P`FKT6@%#DOwh;up|lk_SF&Ho#^t>`Y5R(Urq&vkJaBe)pgtV zdFUYg`<>kzE=0ZcABIi_sr7mDi}#x?nzp$#Cy}AlOJ_p- zE0riAc4uS%LF6Pd)+};@hP8eKs@C zjM`pxp8U1-F?{YD-g$gUo=UFByvA+eb)>2M^rzImC)3Qu&1|1c|5hjwIgfRYQBRn? zMF!2we-Pg4l4+y>@pEqx0TzbBSzF=`CDvl@W#sFl_-7&3MwBe0hO{2cAzKzJZrF5* znR19#WTWFd-5{~H{_rT<;t@<7JcBrbG0?R#AyxXzpw_rp9ZteLhBQhYD2q^=mn*H^(D? z=!>LGM=FxjVXXJ$qm~?On-gf%{w9-Tonhz7331ELpqsiU4>*TSt&xvwVy@iqWd6r> z`Re=!;>@^WeKf5pCw1LQ8f3_!A#kr>CB|*)3r{Ve0MWu6)WeLRKwr4xFkGK{{jr3mT-(l|l57ow6ce=| zosr`^fZp^Wfn3c?mXqKehQK?cjz={jDX4$kH$<@2kjtN1rV;Ad2{Lpfu_F|a1B!*{3k1R>g#24!+)+laov$|8Ie=S84vZ5@Ezcw zZ%`7Q3&9-G?MEtvkoEfgHeafNMNl=kc)a!pvwbYKnYH>QM=C1}Tusf@R|rTQlu8;n zJbkK(rl=&-BbWqSGly&IOIeK*Muy#m`Q$XQc~1L2vlXh%q@>N6oF)Ap*b;KoOcOk* z2T5*NKi}N#_!0cLndkpbj>r3K0?-fTc%LNdt;X|)YMMyQPXG5cnd-erhQm_zKesCbxAwm?e{VD%_5)) zd|`rLlP@!0uz&xvVgGb*=<4)lp!3CGb%|aR*2k)#*0_K^aDZ;)eIZ3H(^A1FMYGdr z1+*}J>hKR)PJfp!olTPa>XLDMOUv`mkLcy_+`{eaCwevJ(gqtf{PwPTF=L5K7ZD?K zcZGl()-swhJ%fjteO~92HRD#qWc?bAKA-d z#GwCN26Vo7a(4FPQ@qS@3XU4ypj~|}BX60kI27bEhBA$~kS4AadW5v3whdYUm*K)_ zlk`(an!=1Z-VzjMT!79=#f#6+_A+O9lNn{%{}jw)-#>RR@A6? z>n+!a4s@arW%b9fY2%?tzuGHF{y2y8C0nxnO@@m<8u)Rgg#O{okjR5FYRA=yLVUyb0Sof zK?aLo0hyfAK+U^1dpB(Asiki)@XN&DOb*99y;KjK?dcix0kt1T`QhV^o|=sqm5mLu zN$Q^Toc{2-?|=K>1m=GcTSDl$b5a8IB1#fx$`DtOe+vah<&L1J)R4f>8NK_6P% z2Kwm!#?U9OYy8KDQ9c*YX#5G8zz&oa3(5zRMfsA2U}Cpeg$0l>52!$uaYOK03F+ue zCt9PC)JDr-X;0$wm_bt`RIbX$5by@puz$%{gkjUw*fqHcZQh^?RAegsWSNRLCh?+$ zs1~9=8${7Iz8j)y#hN{O^x@5mvw!pYM@L@<9h}(E1hm7V8*+{@1Vj*xlADF-mZaE% zeNk4ad(Pz{lth`W+nnuSvjZW2wdo*8S9WS20Ph`3`kVdI{iBTbalc;)OZr>-rTbg> zr8R0v)`|rFy3z2*_%b1p003cGoL?Rq3e^A>Hij-&4EX|~BMAtS`HMJ_L%18*Y?eU; zs7Qm<4saCYE_6>~7dPg5gIBag#_=_-j~95%DuUabLAFl3+oMPCb7p80K<3OXd$O#% zzj$eubt^j&o^p^s>gCILNoT+8rUhdcro_}ZT_p)*pcyrel1dq%v*mO}Z5eE+@aIwo zP}^Bv$JrGB1+nc|wPHZe9%}iFKL)vW^=ON50(kAfFsX|m3uEP2MBcsBL6Vg^s3ofb zw@sjFJwX9O=sb&_=Y1dB4CNg+nol1?Ee#IV8mX}*TIHfuE~+aRgOi%{msP?OoCvkQ zuY3%sj%7Za#2>xq-tm`FHSC@Otu0*@B;AppIzq!FDd%kH=<|AbUViZFHgq#m$B2%v zih2fKG+k9&#mL3!xqaDeWR?&;b8Q;47_DGaw)dz(qdX|@GX>;r_Fgw&85nNqy&i7i zy>3|sT9$!(VHwy&lilCTXtE1sLT!@Da4={!h*pEBszKByDHv99?cZmBV=-V%J#g+n+ggJNuPCW6o~Xc!JR@*p&Us^NA#2y}mAsKVq;lyH-2 zmq|;Y{~mg2ydtsOO+afrR@ToZrkOKthv|{=Y;iA~!d4K`J9}q{nXNTIv~cxA;nH`8 zaujwMKS^>7%y2E3z&o{NNTLfOEC_S43U~-&ds+C)OZ|hJZ;F^+*g(9l1lAqlIcsH~4Xk1kOmdjnZW$ z!E%*E+G&v{@>cY$;JEALd+!PV9q_8>AVO9*#Ef~9b$W-;K28HE>n0H)z;F&BGKzwE zVT^oPEnE$9Q9n~+Nw3A^#62>x**tUOFoCLIS+o-$39YP*&V7VgqMn;EN{Q^etB^Zv%W#czuVpjFEj`*bJ(xQe%X8Vs=OQRTfSkWlW47+P z`ml1lht=Axsi~~ld2(8TW9do1O6u+UgH=VS6f-RsqQYz$OLo_%Ian}jU1Yhg|6~8R z!~c@^^MqdIZ~Bs+mc6A?^T$8kDzhbLO9r?`_MJ`aL(_flZ7w`}w3kI74Js*rXw6an zE=lLBq59F?x2b*`YE>by?2eGKTtrU;weOvcRdR?FwRRN_N#g(GiYh{3p*;!3AIy5p zlD>yts-8DC;%fCP8d26e_Wb5zqp&LM&{+ApF-FzJ%nxm}?US$<^me?_EbvKRA#w3k z`r@akwlQjH6I;cjiQ+Lhsi%0*F1}mws2R%o`sbIw{O#TQ^Ea>G|M>QmclP6pgTe62 zz~c5{t-lsVQxe@;upE>QKSP-O&zmA%<*u(G=(WEwfucXmco+NC5-8A`13C2G>L5

RY?zDj$V?`suL1L4!V~Gfj?AxRB1y^`LM?Ub;><7| zgUw-1`!vLsEwm~wDMPY)`#Mom!9`#xB_(HaMN;3>q!!jcQj_Xw-b5_*=&!;gj(8?8 z*1(4gLtape_buL6#{2$3UD}5VsVg?XQhaF@tqXMbpQH;O&dm5P?IniFRKFiQB=bYT zO&|zhLg8-R-5L6Ke*KSM|MkCmf3gGV{i);KGDmC5z}+(9K2el8-NR1hOr(4%G&$-=(1-^_$Kp7qIcE+c){r)S#}I!&Z&!`1dj$7_>4Na zq7ITOaJK#gcF(Am=GM8VkxUaGUE@du6lI59NkUW8kuNGywv2k-TO2+(o|{9wc@i`J zsn8NWK+o_c3c{#on3D^Hi8;Z=C7Kcp2yqlZS7PIZadYs13EN~&brtOBsPNTlL1P)K zLnI#@-6|%nVp3Hx8SK}s-*9{&ib*|?Pc!wIt@h%$R73aZ5-IFS950{YAFgJAt1v+R z88wEE4i0iZd>IX;Akc2y+;|=fkly1GNp!`o*To6cBgNrK$NLwr%P7EO?8f*kfrI9Y zE*kT8`@^BvdD@|m2?@Q4_xRhzj`!{A*|*bY-_HLtdTeYI>WoGNK1UEfh@D}$x%yC( zxP~pO4-FetA2JMyLI{LIF?~<^oQZC1pb4D1qFu~aVWgQ;nvOy5<%;eL5_v3Vfbhnn zb0#07?Wb`t3-}hcZY=dUN^mrpup2DYC<$JlbeTdlp12M%io~oV0mC@j7F{I#WV-1Q zO?`_QEoM~4jQU=4Q}d^u*i8%JY`S4}v*v!1I5+)eD`X(i>PM1%4eu;ANtoLFz<4rY zuQfe|v@s!UNj-UN7fhoVR>+wKBy-q7WR8WIbY@%Fy;NE@a?6Rv#swN_SC~G;c&}1B zea6sTkbS0uCG9;3z6=ig8}Vf?OWHcwtAsCTZ5w={`y1nnJ*ip4XG$xI0Kvb(p)H}A zjpyM%L{`%~RmUaQznKSf6n2;-@jTCYJBr7Fo?OC4!QN*G(elR_lbn`j{wl&U789^Z zjgjQNh!2PQI9`EcP8^5`*!WA?kij%mf3WtO;mmw60O%e&wX_mw^Ncw5QhyTAsSZw{ zfTk|Kku7JYMO)KzU9P_QjyLv~el{(150^Kv*V-bs&Xdfc#yR$^ol1&3=^H{T7b~zdcrm@k30oN2 z(D)X{Sprmt@!|2Xo=uvBVFjD?w!v@Iki_xy%nl9Cul#e~yU&MB!19k6XLh&9bCd=- zgp+LE#YqBFu`91&cl{Muz2OR(K#)tF^^2@kyfb{5fUCjD=9;+mdHd1YR$9YJ^HV8S zPR^B}74*CU;j!`^H_!lne+2w$nwA;y=6-1Mb8Vcxj;z3xn@gd~lZ9uz9+nxKH((3| zcAm}IkG{Mj>L}a&L4yrlC!&LV#76+bk5%4}7Ped1t`6I^D+rJ@x*N7hx)5f|^O^em zZlDGS4sS(CeTyZ1USt(v--?Y+5t1_|vLQrW-`MD?Sr& zS01En;H}14ZG0*zHg(?h3Cr`+OOcT&?Luz%7D9hZZct8PWUqZdHN-9Duo<~bpED=^ z<6rR_AA6e?B`YpRC!HV9=uKCfU2W$iP-_VqaDy3P(TqNOje82jnX)QhL1FT z&OcMg?eBV|^BQEumc9wIYt~=JUCX@m0`n^B4OkXojrqKHg|k1{T;@76Q}qY?l@w02 zwnc>hpm}m9^D<-N-;$g>JNwD|{`B3MNjroUCtdopS>6&OqJX5#SO6Ku8|J*?Y6hwe zni!o13aY7xS$u|x>__CDWro_xtE8?^9sxDeyazr7#T9E}uA>B+t6$!K+7>c1KN>oX zP1DKztB&gKL}AP%wZKMu$|PT*ZViVVn7M~Zivyhzr?9vTM_DW);x9^>toDb8nNc*y zWVLsanM;rMavWE~?3d%C{5|{GJ^T544zhbrT7|V$SgR|nhsU)PR+48;+(oQNEXN>q z6sg6!Uz*OklW>uCjZAw$MW~<$Z4j|(CS`dD$ztwx|Lz;EBXS+S!Jg0aK>!+Q-iINZvpL-#jE*+h#f(88ek zAFt+%Cb;8%#&ZF9iR?S6Xq|NblowJdGEIL&4C4@=*KEr3|~bv?_x zm=gFN9Fw?49?&B6`tK)2cQ1gt}uRx@8U);xt#%54}zUq&e=JgYpSoL%MB96&+ zuQFe34bLr?@gIxJ*uvPe+jxw15&mYDnGh8hl$3j2#-!V56kA7cnrB{=#PUHiuswX&n_N^sEqjkPkI@sR%GRT9H*T^&^dfdYtC+{biNKQgTy#4{E$yn*C=AiH(55~Wxx${N$YNUS$r*s6N*abQdG?_0efUP zjr<~s3h7?0MWxmBDriYUfVjjmZr=rDYEU9mv< zY`L;CQk(;k;bKI)8rxt^QqE(I6jW1O>GQHs ziNZTFRlri7uzabn_YUDT`d|}_enPFW)En%0!yRvL2eZG=S73fHZ7TX^#z4lizjEfg z)sR{Zsj`ODKdxB^jD-8$8d5F_&qUZ)Qk85tep%ohh)WIzLoH~89dXX(6ylFtDL{>t zk-`8WWHRjs*QvP6onhhv8EvMT=;&^n!8QG);e2H-Bj@r?A%M{tOBS>#O?F(r{R1dC zgOkmKk%w8a(7kHW6=-c61&8i$tl(VSmNMhkaNR&Y2`x{GBVKF62>kj`h>=q4#o`%(^dT%kHaSM&RUq3{dS5MG3`6Wa6@F4T=d z?zx12$uw9xE-5Zb6_40OfY^;-+@D45KCCfZ8aVm;dz>%>g|@pX5FHg^oCJ^vwGZ(fOh55n-y=_MSfaUoZIh^Nd89 z&wqJO#(_V6nw`l@TF6K$%v~KGYe$-Wm?+M{(MA&H{Ub|UF&rFLf?>3_4Gh!$_XNW> z76!9#I14emtH^vJj2PcU{yZF+kXmDHZUDQQGN?W*ewf7Pa3w{@{IA3gBV+G3S=F-4 za|HqPbnS)BoK1<(A=&0}cvupn*-GS-L>wZrH zWOVubVsGem&pgm`pX)ZEpXgliT;DssB~fgsjo%8(mt{g z#KbdjJSF;Mqe@nioN6mBtaUHnowfN0A~rilc-I6_`!q@bv5@RO&{jD)c_mY z6dSrYG)^vc8W_hyPz;%<<ijj&2NI{<~!7#ksutp>GaHdBBf7k2|E-I7zZri z*zI>IM>oCv>5g|pT^{LX)b;Gb7KvnD2Y?g22iUMDL*cV#(7Cm$3LVF-g#0NGk%`>HbH!6Gwn)`G9Oz(8$aDl&zFjF)7@# zV`tLrC>An&62;+nb@Bh0!6!CvDK}I0eep?Gx&>(8u__lIdehO2*%&2)N){0n0quBBD6SDsK?^HS6OkwrX$<2!(W zO}rPRn95edYtk%^Ugy!HX5yFWAy}c&x^b>V$rX>YayXOQvX%k(0u)ONB#_mokFS7i zbh!H8{(SM5oDd9>ITzcY#lbEcpGWn0iGh?_M~1`WEcNHOwT`sbk;>MQ{(jxW+6vZ@ zG`+{%i+NbmO7AD#hRy)u}9YTDbBI^aaJjeYByvs|CSf68mG)tj4l$ zuS1dx0jTs|l+E@=x_OfT>~@l;3z?`M9Qm}ROn_9{p}F5`vwj?f?;#WU~8FR$JaI-^aFLDR~NplrbylvJ2_d0!L#?Ptc>4&&6dV*znZo2v{Q+@rrzQLxsBY>*^$5GrjE>B$K0Fo?d8XI5omJI zgM^|F_ckVk?;U0ZLk{|tluWd?jgmRsYn~8pXVH6c`s%fd{+E8FbZHl)ow0|*T&$Zz)C8s#qGnnD2t@?e6K>*<0@Y*^AT$8burnMSVx4Q!uB~A1>L=ACGmmmvlsxu%@M{ z!hsMd_hruGaTfcfbOY|P370JuO{jR|H6`?+#YWU2?zIBcV9N?ngXR^WGL@7; zjs8O#&dhsqcJ?DX0Nn8S8OXHRB$CaQ7tvS$Cw*c@-bB7!> z=mH0;Lz`Is1=@AI@y5-PMN*{97#so#XRLbDJ=cg` zVP8&Z!_sBPd!jX#at@U&j%1eSp(T%VhC-)WltW zx$b~sP%3jQ$S5B3dlwPRX=1z@_%eHNHB`SGtza}F7J$Y>$8|0)p)tc@nLzt34xA|# zvYx1=|2@IVc$~0Z4uS|i;GJA&vodt%*$i;Lur)JVivn%;Pp$Ch$Y(%TARoB)A`zQ6Z zHNrH}*7TIBa#l9rh1R2W*0>LPl3<-|W#j|lSYyE^NrJAa4xP1X++QqSIP|O>l=M1@ z$0Rg`M3iHZ@BQ`7wdBH@_KiGox1>>4RtpHfKYS)hqAaJj&<~r)DYgX zW7@Rw4L?`~VFH_njFgR3dT89TKBvjaVm;58r5y=`;D*HNb2o%q{e^OF*;zLcDocTPQx|Y2 zi@?wlQ46W#l&}?!r4&LbNZ59>h_4YK9*Q<*$x$$V;g80j@=CHmsa6|kwSmgoKz-ZI zUX`pyeJ#5g#qOw5)DVp0#eKOIa@K<>$Cgqi;=7^^{cT7wu>c$EnE<4RB`GYg`zszibGnCd%_73)~;k;aLQE3 z_LEi2v_Xlk3T{m7A03E8@Yrzf|C6v6^mdR@;3u4tB_$gJKMfU^+wuV|{K=ZH0e@WW zqz3%a25!P$%*e1DM-qfidl+Len>X_3fehwL0G&#b&^XgokYp#ezx(E}CYLf0;j|@C zCEGX&ma9bUWn-JRU|Y7WKFoP*aIfdB!ItN(LG$xg2D}@6)e?!w@=p>k%xT{WRg;my zrEB~qY;5$t-3Nr4+acD`QZMu<%fVPAVa(RkyuWg1J=F7DwMzJv`!l5-OyqJQsdmJ!%6&K0vMDfEozK5H0Q5)ghcDbm-Epkz- z;2eVS|LXGNW~o3=OcYScr;YD@^5y>iSEa_W1~d?7yDp_(O3fzPK^t;mvrN z(a@Vp4S4aUmgxm;Bx(!3$`Q*0b``5L)uWvcHce~Th$O}(+iN9BC1 z6Ui^*xSS>dU8iniu^iPS2p8%zPJ`MBc)FJKe$ySp*1+AOk4o7yPQoirN{`oBKluQr zS?;jbAy|ez)6p`Y?*--|9=gf=oaak>twoqCbN(V>#C$*rI#En4d+l7XLNuCy;D>~D~lx1pBG7rkx#_sZ$ z5e%3XpAWta!mSH6HrSNQM!1AZWM1YtGoul2+0AO+6EQg6{gdF^rU~o}I&6(%yQJD8 zG4T%rcSn00Phv;eNo=rR4eqG5ZBAlze-prCOv`fo+~8VU1VH0ccUMvNK?@7miqv^tqFFW5q(VjaE8p3?!vqFz3xX5 zNonpHlf81=HC&#z?4p{-Q8x0l<-q=U<-qb#_-sQtFp%KrlKoAWL15Ivdy5C#H;J4i_y)ixM+?*}M5tw)V}HDffmp zzI8A>sDwU)d}YeIw)QRRQVMX>S94kcAH6&|w+$yn{E@5-DZSbNcD}pGFo%~|+Oy%V z=lb~6RCZnXi9ZjP@Dxrmh`Ri>nUVI&yON{kg#`HLq-+JCF zjT_@v08%(RYOuW_id;<{#TYFx&u~z;^_#OEudh*FnHb$2;&GbXDNQ1xhe0F9h8^U% zE@rXT38M{-zMJoG#VShuNgx0KY)&C7lSeQ8^xf6IcN&5Jp5{{JgZCz2j$enV{q*IVcTee63L-Z0pi>LB0ne}q zGvJ%>FVr|u9t^R-dzUd=g4jpl&5^mT_w%L3QpC0ltd1p|4u0ZtSF=rn@XkI^O>{XM zzs<{*IU-D#_Lo8hM@L-v7+{0D3Vc>^nC>f%tS`hAT3E)5cot7@S}1Lyv@(=7I0hd* z0F=ViO6$58F0S_ZmLBQ1J&28SD+ow@_X`(|gNaW9zwE*me=FfHi%J&H+4PyTJ{$*- zfKoDgpC(`dGkFrxK{@wMp3s~7O<&B@!kZ~Ij^FcpH~3z7@*1#b<22CTe<)}_zE@~J z-V)l68$&z14~*&v9SPL0?S*p%vA~cw1x-L4Pe;7I_@O3V2c=a)KkC@0X}LPisV#fx zQ~02+VgE+Gg+&}saF~^wca+Mj%joNT?dP__$b=dA93qE)M6~wAp>KfLvW$5@#nY); zCDOq5Q?yy7u(FI-VsH>T{Wj~h1@X@d;>TYM#7Rh;>(-SMSh*-)yQ~H9N&v2NW`zwv zZN?5bU3US3V*x}Jt^JY7_7s&))DZ2 zK0SNyeSiAytb0W#ObN(v;yrKpkegd~&oJQ}x5A-$<8T_H904GaJ-FcEa_S4@Sx|+< zOv|BVG^nd+G($B>jwy9d$Pz;y8lTWuM7{|R%(tEQDuBi%kw6*=II#tjJc54C<(m1| z)Rott2!eow-dk`(B4(ZeAK18KtJ2X145llIaMk`BqKqaA%?B}sUkCn27NfL2Q%t=> z$KlVWF)fVCIUIyz_$DHC0a&(HkbW--ZvKG@a&C2I78LX46O^3I?TSPV zW$JoL%Oic}IWDo2EdAu@u+^Gct*NTkG~7qQtr}VrN!#1CCKSlnohGY`A^+POO{R|? z{S=Rkdc*}ZTu3JjoALrlb2PCcXQ4jPMXOJqH2lqi#re5>2coFw-{4<1KJuP7SB&Ok zZv7jXhOzlVRJP6}T%^wj9kZQr*v~wZ$j$LMhS|r?PCr{`Jn4qfxL(D|>A1MrUHEjR zxP@W-*I6-h#l6(1LqsP^84g@NS#kIf>Sp;kWP0C&rjL!QA-#M*(MhK-Nn~N%?p%Z@ zqw`C^FKKBFvKIXGF_<(|7n9OmUr5OVSi7-trjKvWSjnRW=k1c1WgUK3g!(QbO^xq+~pdhIO(r0HQw}Sc0#9#Q=zt?f72k{^mNCvUD@49J}_lD4XWc%;M3< zP~7LXSO zAwr#Ghy0HF?C=Ac{h_aUY$93oY~x92FG&NFx}mIktT|ee0dse2@@bWq%E}8JHtW@& zBQaLN^3i&^5_ zE+fshP1mHtGnX|qHz`HV(84UQQ-aPJb6g=(&1(h(wW ztjDWxyrOOk+jg9+U9&8+WI)|zFAsj6r@`zB2Y^$j+J{yu7KaXmHm_(+{FHv8y^?Wc z%h5bW^p8Rx(%g$Ee+g)72bzj9BcSqbytE_}PR2tv6RA|NR3g>V%+;QE#&yKqA_7y` zp*eB{x=)&ETpZI<_Ew!CU(*)lI=recSQZFM2kf0{X zVYc!R{XZb!99dgds{pkMP-O*Zu-~s214^>>ZUyMR5?NPiBAymVlW{OZQr;)z*%e*tZ1(2 zSZCfWWYfQrr*Jw3<3Orx2TXuOmjx)J+WAy!kosfgs`jfD@;$7iz@oKn6j-{yu>xy~ z(fA&-Z|2_gJ~%;QyupiLc?}VsPDrq+FK$cNofw|1IjYr-THUCsZd5-Ws9&LgFP->F zCvuMIcdJ9lxx{&1ECT+_S`B!I!)(BRJm2s0|Go^e;`gPr*%kB@`BjZ|KHM|&A_Wi@<6Yun%>-QO4=brGmtWC`*HmlI!f zaFeC!kpS@}RHXs-8S1Vi=oVT2<>|mGg(+Gj968IT8ZF)EE&cSPB*#chE?Y0g;^O5v z4+DPEL+{a}Qd5&Xbja4um1xxgLSHa+614KOYfPCnTgezrFwo{l6>N+wahJ#O&Zb|E zT4ZjKxhgUb`+LW=keLLAAoEK`LP59!GXkGz#Ivv($Fw~=jNQ4fK)5JJd8blyIWxpn zhX{Z)rV!<0k6 z;t>~8mEIVmt5}H5>Cd=)5i$6X$L`e84n*E*k5VqtrM z-S83+%T0}Q6I-0+Km8^*T)p-lKl$}vfBW^@r;qt;fBn(xe*cWV{ATF=%X1usJtoB9 ze?0y2Uph~{|0YbJ)%nffe~kO-(jUjyw(5^D9q7qhy)lz8A;?k6C?NVQjSH6uWSeU+ zt*SSSRRTRwd7!~@wemm}5&n3~aFOHY;Ub^&1dO*vUxX1NubcRS+VgOWy8oo8Tl+jr zoA~bYaJHK&9fZGsar)EwtJgoh_?x%?fLP{0S-w!CRzYWEV|JUYz!)Kp9Q|aWx~Jc4 z6pAM9EUX=V-7#n33)#0Np$q8mKIRfB_qF2~J_ESyR|1!cv53^#cHpw#7+e+!dy365 z2(o(|%CRY75~Hyk*s|iD^)bRQO|JQtIfOVnfk9OYX7I*mYtm8?6??_8f*K1PM#!#8 z3m6h-MM$wk7FtQ};>KK`MGb&FVHM#BiLp9ik{nhTNNiq76k&@uE#7=iyxG4SZ*16D zlOo*MRDv>W_tW+-L^5U?raZa!$VYQ!V)8el=c7j@y}|P_zZ0Ly0>SZ#wZW!ZY83H$n(=rU zU(-R8+7FkUeZ!M9N>FakcSejwz)VeMX59&qlmiZm3zEVi)^bJAjTg$^q(@VyhPtLD zUId6-%e5^|jkaWYt1L8776vEvDl(81{LIS2Y6QlUB>`vmpGjBHZr9cn+~H=5f__^( zqGAPj{Z?Pt6pb|4s4wgdt-dg*Mvj2iw$T^p{w?$c<_S0xR@^g(Ha~CFH!;o)6oD6# z3rKHn9!Dq;#*1mfL43==m_5@#1K{)!?Up`Dow#-uE{eA-4y4{5t%_-^n`|LO`C{|Q zKgDnyaQ+Jd+vFBo^<8O-=n7iOn7q@UzkdsUqo3&Y%p}Fm1hkvY%Ons%Mu0x@7t56y zWM-qL1u8-KEo`>1Ssga}hex$wlY~J9*u0Iu->ml9to?SIVAIr%>3;S*Wa~E*QUb;# z5N6I?AtybX_q>_7gG(MJC4Jbh#?g0D5!Z5QVl_#B=Y+L)*m-^c5%4h>O)Q@DXaH@w^ZXA;8BYU7|iGAJi_g zI_@pPvkh#0Ogbud_{38*WNlY3sx=@|4a^2@FXg5D226Fo!^- z4ezM{PY+cvX1Krc(A9)Mc7Mx5*M9Rum(~#W68aKkvJ*B7PLQIe#|B%LuaSGwt*t8V zZ-Nn+7-q4a=IBkC8Ywf`zauFD>(96dY-B%;gIOSJ4&~jKfvmuu_jWSrnhx`O$NH5( z9Y(PN|GNovyMzDxwf%-DU#l&xW!u1s>%l~&})j2A|0qw^U&V1}px%iqnM&~YZr0;?pI zXk7YbNRj+2Kb-L#z~#EUIZ!kb6AxSouVhAFDP-dTQ&Il)%{517 zuQ*h-#pxEOKO;^L`b~~}X~8gIAau;0T^pyrB%x9^ zQiDkw8f3hoSz4&bF%NhcQXb^ zc{m==Oqgd2RxMb4Mz9)I;HcU9P`Rn_Bt%HX5`-m}w#Uy(kgUZgbK*M9^6c-W{AB*^ zRIFvS_506?P!^tFp{~^fm7yGLKA`SpOvr=1VI?(TkUyZ(E3cs=47NC(B1)3!aFi`E zKnbWdR~jakJ%G8(Qd6VB{mQ(Ka1LFETAtlFwviG2g^Y#Lr>VjArh!)R!umP619L)j zs1wLkls+n3?~KzNA;>5KTfm|!bhp`R^@0_j>;;>;CTO}mdY_O=i|F6gO#^dlnf`Nr=VT%+NWa-1jvq% zrL5Qm$z&;LI?@tRK_pN|JM5fy&2#VI(cJ%p59h%4b72&x?|*sw{>A&(b(IW;(ZxrY zw7O@fKm7RNos#c<8SIy5OCptJhf{e%VjvSVjv%QkEwW^h?rX2}tC`y0el3~Tj<@mc zu34_Dzaj(=nagdwP=3Ij1LnrnM77dfl2fjJT+-$82Ib)orA2J4j=8s=v8L_qSJWbg z+h`Hn6vxcKKFav{&tC8zWvCJuR&8Tkt^i!cGlByECe3H+9UXjY(ky8a0)pZM6N=P_>HkCD2^{?q(4|1 z?~Te=@M+;k=w=JwEqvF2?}K`b|0Dpmh3`&EQy!epg2_@z^|CLl)Xk8+Vt{Ve20_E{ z;M+%QjnemLe>?l>?GL{jRQG2=!eW+X4BY@DI6WRCXPdhgzRxiF@vqsmJiY~ui^um` zvuhY@gv1VZ5tfc~e<`e`kX3H`4+5h7!NyRl{@ziRMOlq>2(4{nv8VeROQ?>Bk1BW~gZqjDCUBtgIeL%wnJweUyQ6%sjByrr6#%oJ?R$=Y470*rARl z;!W1z!LlMdDbgA_NQ+(?ixR9GAR7=*OyIO%UFg##VeMVy*mW8Ea)d)Skn%NXh=A=9`Htc^z`4;hCnj1`AF(c; z(uWd3QCaUx`l1I!WvMVHM1VhnreyQ$?D(mT_Q#W2jB7Ej zI>y!ZBMUtZCP1lxJ6}=i!6;^(0!4_%qfGnS|aTiD>^leILyfVNHU%Ssd5C~j2oJB z(hQXR^`~eZLTOtftICMOC2W^En#JP^28~*VwiaR@1Y%6lj(Xx$0{&obC-JvjB~c(W zT`W3Bm$dG^!~K0`Aj8)f8vhVqM;xX8j6>B6KYuk~Apo%SmtJ?|b-s;q#T{Wh{ni&4 zzKûWItw?C*G4tV@05&}IE3MC-nV)i)%#`!q)&-MDX2VoL(PqLF&(oitEzoy2+ zgM-1z{WO*|>y@ec(b0RgysN3~AyAsT55_HgIb{@F`^lP2`Q+gC1Z7|P)Rl)p`8eApV~J-@NqbmoA#+>DJU=Fv zbnmgU<$*MK>L+Xv&X2j(E?VuPx^^)*saF!Lzh8mKZdRu_iTCIcs&k#cIsN(k)r-HK zeJO_cY7);imgc%$QjvtodfaP@$Hn^0@Ar;e!(p}hRTa;X!|gcMxs*vmu}s(soWR^cQ6Jc&6X9x5eflwMlX{3;%dKWJjk=gG(^zLts^Ia|MYlaaIb z{I4h@XLz(RmiEx8K-{mS7@)On6oUa2kcNtZp$2<#`s%d+f&OE1lYAj4f&wH8m zXKkkPBj>aowyCTlOM;P-Sk?+HAU=aXn9i$GVq1;eNiYkpd`V9-;lI5{k6!VN^V2|= zX66OkTxg?M*+TM<;iOLlegf%8Fk5*3RUD3;?(C2V6wF88Q##N~yyZ> zbGK!JO;|F_fwuC@`fR-~`IgkD(>HH-IRqQMKYNi{A!%cpuR`Ag{RZ=G>~b+dOR%rA zy-fUt#3C+Dm_*T;;5so(#U6Lrgy`gk;^F)IhgNg%_gnp|)xWChUxTCl{aX4L3Fao= zhG%QUjXpi}0rd-)L6LzWbm$X#ZyUZx-MxJ5V(m%A*RxWNMGT{iUlHGT`@O+oZ`j={ zQY)GcL=Vra*x#6U+o)v9mc&r~=Bc+vItq%G_>Iq)zViERvSRPOVv6@LB~#82_{$T9 z5Qstv8I3LmVhh3NrjD;tWANsyrc+p;X&R&+nh9aXKB19>Bc}_VKS%wvIRF{ELf%`; z1KA=|b!2K#a-~B4?CqgeIf+p}+A4Ru_u|9*AK(3Q`q#S0{@-QPRc>m^0Y)ZIVY z640b_$ZPCRQxUg*5OG-}UR&QKtM8JZnvLaMSWGT*GniF(DZZlu#64JXm%V#sZ`|9G zy>YKOd!u0hmG8zL3CY<7N;tpz`K$p%ooO?eX+MkvheUvg?Q@xX0tW-bm@n4SP^(D* zsqpJ8jz6vz1xk@9HUp57bZ#?1L<`gGx{?Hz;x$=$R&Cn!o7Q4Hy9y+wi_IDm2jz$W zUS360wT||O7=`k3j{^~u_&hXND(@fWVFo^D6T#a}kNOz#7M$JW$BiqosxO%53g%Oq z`E0Bj6Xi}#3%f1sen!~ct495ZeYKn0S7mO^u=2C~jo&mTSdMZvLb z2irUYM3g9O)dE~;uWQ=N`HN{E<_l0yX$M3*!rZn%4c#v7UBvGK99?l>L>$bSfj@Qx zUqtUOWY5+Y@+X%;0D6`qUe@Vwn3t`I_j~8Q$3+qcATeTS)DiW483^R1_k#d=fB$3? zkPrI%*3Nq{s08F_Z5tr(g9@!7klSc)%U$N76rOkbD)pXxpnsn>fb;jZR5XYRR}kHT z<>I0gU@8PjsU>zNXDIb&8cS@vf~zR}`wAXNmN4Rr?M9qM#HJD5P9hA&$l~nV(^qOV z(rtooz7QxZ*$*$VHcl5;MzqlOgg(mH;9r0Ay5D=9XC3b`u}j#5GWHA)2lf1SBqr|09)ytaKNSOc>Auk{@S}4l z11vp{@fq9V`9tQOWT_9irEC`ik70deErmKLnp?18iLKzH&5i+wb5*kHU z^GA1NiU`?|u<{eSC#qFQK&-QdIW>LOiETlv1+D6!HQcM09!Y}YZqPCj$h+7)SfUld z3n7QA2sfN_mhf}0|A27iMoj8nlKrNF>tQ7s*QM~sxqQsr+$dyjn(H;_EKF>cqv8C} zDOf|@l#K8TCvwv1ZDS+x>6Y^*@3wq;~jbStBhOtQcX- z=BA7hKx7PL7K`7@Yz|>yEq_ggBjbY^QiuJGksnR)vA1RRC4c!DCPbV81O*1A6x_Am^Lf^acXW_We!5zUvSple0HIhIM)|s?A zm4r;PbmH?Upd1(6fFBN#l(djqcxvJ4Gs089La0YAVz)<+UjFj>#rxOiKfZnQ8shQG z;K7=_pna%>HaXFe6BO<_&lyDt$=liquQ2HBtmpi&$&e_hQ1j?_|Bx}*94^uTG6vg) zi_rbeA>)oCl}%;)0cQYHU4r^ae@ImAi-m*&;bpx`;%VZ~giw+aY0rCM_DA`1Ohx9BS)!9$ zoC+A})ILs4EA$vWk+BLyD>uTpa=axhoazpGcxe+Y|@ydSQkU=N0!h;UCpSgi7hM#sO#AJgD=G1D7>ws8JuRI z@Crf5vg8qlfW_F7#KX$S2eMf(4TUGnW4%txHAVsae4s0X!+OppY=@p37SCC*6jLR% zLGS-tg`u~8dT^S66@wTV=Jk8qlwloB9ixiiHDOEYVL z(Biu&fal%=v5gM*@0Espe@hzj{pK{}f)u;U`NCtTa4>7aHHOEK<`R4gMjdTZEe0ch zl|PQ*J>iw%S}=QG5cniF>J1bK)LU&%n#n!qhA{xZ3Uk|OlaZ9%M6x&kyuj%bVJJ@9 zJIa-Bt1Jr0(TpIq(|gU`!QEoa)G}Shljl4wHOEFBR=ilm$#NCp7%txU1zeDX)4^CR zuaG!P^sYdFn#GlcwvuG;(IcJBad1_2GTGR>NCKvbh1C~vLWy_5UT=235&%?i>4i2O7lV0@UG-})fR zUVndcsPfTqRxRzYlCp=^wo&#tEV7}pXR4)TrOXBg-Ao6_ss{zpba~lO59A7AfozFf zsWFchtA3w_GB0Af8F5>*gfFxzjHaZrNn^=TQplBa}m15`uOgl8wXF6{^Z#S6$F<*VY%@;bsbhe!HeI&qWb1Dnt zhRVXYR9P6e%0dHWVRN`G2+ zfym>h_t!u(IAvNNx`=trtjCU>^@}9LhNZry2;ZD3CizS*83LxY_aP&)Ay`3YSfzRM!k}sH&qG zR0$&GbuIszf(lL;X+araPqy`91E(yD^H{ct1Qsd!0Zd8ooKIG>*|{$@GoO2Be>?l> z?GN$`@5Z&CIOgX(rMDfNBN~0}f+n%3i;su`@1C9h@Z*PfvYp3YNSonj%OSy*Tv?)^ z4dhIuSOdbVREmYxfSF7I>b~|mzZR$ew_n$${kLB?On1lIxIoqjckX&&jg|pNRuu09 zQR><~Cg5V@NK6EVhTO^nAg-C>P87F?3CkF6cDEcHWg1bn7+kcrokrB$-9l@RYwSAu zgT@28(R&iES6}z};I=~V8`&nRJjer+U=*XI7wBwI)d8eA(mSjKv#~^nptFr{;tNs4 zkXh$e&KW&qTY~P#v7imKY@=ehwA`v%q@2_2{_rH|O?x}}?wOA!@GJWn@sR0LwkPQB zx1@|S6%p$b?@P7cn@!3^{~(L(86NNCemTj0Ice37R_&;+b{r0CsvYXRs0WZj2S7*q zc|7*|hy6aEt*vz76Dr0d7lAo0iR0xn{IluGN52HZ1XBLHgjBOl)la5D_M>||@6ea$ zQwZ};0kPeKgHz+p&8kV`d9b`>qrmc#&5R_iI_PpoPEjUN4hMJ>iOJb&0ILf*--Rg_ z;zLJd0s-ZoRgz$>sMdlx0#^%GlcQ{eu*go&c>*e{4fc-b-tLv3fbzk;uScKjs(Rka zCdPBilXw-`SG6$3C1}PL>k65ifmy?4XbZHU#2TJShR~AE)!mWT`8M*t{qXGDAG~k< z&Mo6u8~vtBopnvSz*?a4>(?8{fmn)|%gtR!mN1v@E=?@j(4tzNkYd1GsOUlc+j*

mQ0l8wl3mK?ApmUv)-yst?E=+b*j$>Tqp3O0UPi* zOkA)vEj+MpVPMzUuDC*XU3!<~bA3EvQkNWf!xT84o-lE}JO)nJ1jen{T5QEJKKQP9 z8SDOqu3-d`Lu%LDt@H;YDBj=O9F>xpRraf)KU&)c{ptS3=>Pw>cP=>y!ax|lis=Cq zN!+>eA_fIR6D&qVJwEeKX{kk?8(pwsL0kG9zIJ9hr^GuIEUhI6^nWzum>C!<+9#FS z9KF&%S%R$U_0kS}#;0@6#bA7gnD!=R*3i?qV2{)%6hnMjDBep4MC!N~RF%f8h7iPP zY53HK_(1|!GkIaZea$_IYC>xlZezK$dO_(uTMVkXfq!zUt}z|bai11oSb$+XFoZ!c z2^dJy3N|mUZCuD&RYw!mK35jcZ9HiRW}FCfV4bU;Cy- z4bys}GkIgaF(P@X)LJmUQIk==Wi5+SsPOVwyMxY;be4)A znZO(q`0Wca+z6=e$0SCjOsSf8URhaLnZL}cN^Spm6G!Yyq$-rjj@NB< zJSGxf24OPZ@jedTHeY!^?rvkPrpjiKP!l0Cmd&PO$IHY`*1l1Z$0n&5?Re*d!*>^X z;zwMm7JmP6x3T>Ox|_s2y=2fwqP7Bm$D3r?bgSK-=4sTD>9`&EZ4rrBB$;Y=Tiv#2 z>fWf(RldHyZe6ca^9jjgIgYT(-=MwL{Z!JX=;a^6f z%2X?XKU-sY)xPolV1zSgrc!bh6s5W&U8xC`S{uOJVBrLV(8s}eI>RZlg>^xMO1=CgB=g6I%?wve|w zo=6O{?l)g=x53ypEMJx@7Vr!fuGi^pG&{X!4+?{nkFxEyE~lzlm_=gufdsA-mu?5C_fFS*w5~EyZjrLCNc|sLA=RC8mp!pHFG6u6K_-9Q7V(H z8S@NkE-Ft2Pwy-qi4?YsFnfwPgarCq(|ibgoQSktd{Z({eW9DSU0eEf8u2h`;vOZ! zQ`li#3D_+o>Fu8B-?rEWD>mppEWj4)b=g}nWVjC7?V^)KeU3$f%$KRRyWZ--f9so_ zm#;t9%9qI%Y;|0+Pg?PKyC4glR%foIQB1qt?Y8|9Kfg<5KGmYy{B(9SXukTn345@+ z(Xs5(D|>$SuGv35)n(mg{~Uknynazyd8m7qM|y3~=XzsGz_?*H+wo!%gn8_-YY~no z8K_F2*Nj#owA#Kxb&0OQM6l1va3Q^Mt}+&ciVuO#44U3dKnj&m4=WfDh+ zm6_4#1z{*kSn5Y1s_qsWOhQFp)0n1XJA=JK-N2@Ubsx=2eHaEQc0CFGNvXjokFW_$ zko%WVi8y0B0PDoAU_!t)WQyxVj*6~ZZ1Dt%oj5~OOh6a*dmC4g0+A?S16G-_Kr+w; zYzhVrMB_Fl2o{JD&!dc8@hBHGLaBG)(TGP%v~XG4^Xr12-(rPRslqJ063TvUFaAtl zkHwfTs66+1U-~&(T4Wr4BT}e-y#zmgfRV;pG+n<7zMTs{$8B-~97$o3P`{!{c5Oaa z;Z$b0vOGGBr`*qq!EP%6QA>kUo@TRwlu=RtmhT14d!U|E87-Jit>jFoDNHdOh7l0% z>M#C$*f*^UN~)jcj0$a1l4qu7Did*GF=s=N-Z+ffz8`wKdwYkdPS#(65~TXB^(ed{ zr3!zOt$15gUl&l|?H&YSMgrc>RoafiVLOszz)Yyd+I%{VLXA+`BJg&pep}0T z3-KXBhE}6-aKmG;pGxy(A2Wd#qJ!nxIp3Dm6YDGZdrwlB4WudY( z7hcg>(b0Ch$}`Jm{n=RQHkxUTbIAPP1q49&Zv_Hi{w)xAv3V~bfW18i2tfNK0s)Yq zAP0B|>kTX9%QSG@Mln+PXcYQriYkUU1v8K$vzb8b1qKQlMCuDrLw|(Gl>#<(NKqJzRb5F{Yk@Fa zhpulVD07ubvk>lJ+7TcCEJKWvnWKXMQi z=;!0vk)r{W7LQRZpkYXQW(|5Gu`ai2v3b-~h1y~jRrboNvd!*VwdAEM=~PPAH`Z;*dbOnUs$)ww zUeronJC#{$^V)e;FM72S*JiU`vgz8qu9S2;j)KkgD%CHo((ZM;Pq6t3Hs2dIch@@) zg3Vy8mkpag$bfua=!;CM)*TomJq8W8Z~(%`HGU2;Hvymf_@RI93RJcPGpsQp~6 zvP7%SlEuJ5P}|gMwpgRFH{r=x2N7zz%$rh3D%nA(lVyk$N`{S$0x(-K@7aVsi`cV_ zJLfP?w=`x8PR0ReKCz>74BQG{}_%2VM_XVhD42F^eMbxm<+m|Y@SEGaHwDovt*O#o@XuQQ} zIf{#4M1;aoNkBmCyg8yg8--VbOsH9R4Cz5Z9D;gH#(zqPy}Qv{>REg5aUg4>w;YgV z4{py+P6h-_N{j5`a;b>rm7pW86refx!CF2XSRr9|4rg2v4FJsKDkt0;e!w~p1#T&{ z%4=xLFEx%SCS`4&MgYcnQETjN|G$)u`o;jFun&Dvhkcf|Ix9x7(b0FpD=L08Ghz5p zM_~2!EEjbISF?n`K^V3+yf;_`>3!yR{6d%?s0#2d* zUYo-cGI>HK_eUlVKYs6NWCG6o@!|2iEp~=m#bRZWQLu&qLHBHe21m=atzjfv3o@95 zFdzXQa>U+6VHBA&TXZ|X5rOpuwM2VKYXx(4M_<6fj)$qd#se(E@8u5>N0&nCkL6v7 zfCQ)@{|vXgHsy47=j$Me_Ike5NSg3RyUdhAw^q1ez*vcMW|Nnd6RAZqx_C;Z{il*1 zutz;5Rq&@`9)d5CV$EnN9CN`h91P68xM}^arW($&K6-3vQGRxCbkILPXda&o4$d)> zW9l7Ac}e!rGMad(_sr0kpfZcOH9GJ`Bq)+Y9pUa1o$OqWGP1dEWu63@$!w2!S|bz2 zlq6fQCc}`AO(+9#OL0P5F^dY%2AwFB?tAqk3`vo`jb>|TLNI)Qo5n~uS)k&8_!h%J z)rw<6gUX;1==~Zg$=qf}>a>qvIudj!xoU8-t898b~8=ltG1}q1298sX#NTu!2v^HTe>J#zcrI=L?$74Q2 z;D){eo>_ya)2$vCMKg49WE|}5&@UaK(=HykE0LUxPb985C=7Es0mt_FG|Sxug%XJd zHNwQ){AA)=dy-ayhju=U4)@LMVGHeR`e=UTD+ORJWC{eBTOKhq1!aQv4D8HfzUt=Y)vDI7Qo|Dk!O*B&YIi|etzOfilg&06d|pl6xF zPK{9in56~vmj>>-i;cgP$HxAk3H0^vfBlb(+5;r`_rL!438g-v)O(}U?#AZB;%A^z z9~VD!(yAtl0%*A5@HEK;cXY^U2wyJQ7V|^|+w2$Seb@Ea4)dtgW52N|LlM2 z|LS@4yX*4k!{YDkrw{$({=0)SAOKrloSY8My$Ut-;a4L7&He8V zj`vT_&JXr4PR~wGcW@YL=sxcso}J?et_htd>R1}mbksjTKkX0RSL*El4mP7@ZvnOd z*n%!gZ!Mon5TV)5PGypB0E+4mnOi4auR4+|9MWlNy@y*WPh?!H{Ql&_!Gbx2vX#Zt zAWW;Z2Omy>G3ELXmn+loAu{vr#BRxt8H3$r%{Sc+Yxa9=G(G`(9GL?_ zil1s$SfWeUU_Pf_j2m8A<)IE?QgFuJ9j!-a^mSh9$V4#E2muN&oq7XW6?ht}iYpuxxCLoa z%!pthK#3zf9Y=DAcod!0MVc27H=a!3ZLK#m>v5KW^-xT>iKG}*T;q&~ygvcnd&Q+) zrVp>_j6z>zdH#MdIJKKZ0lk-^woc~J0bVi|!789>d5vPHf%I*IXy?c}8txzu!x1jt zBTLV?^!pQs-wTJ|_zlv^;9bKeZY=khj4q{Xf2uO?mPHoM*)zB6#0`ep%YC`K0bqQA zvcz35pk|spynCT3L?2DxPzD(YFu1~#ad8x{sV)%>6cLJtspnCEzMH(ZkJj|PXjn^u z>MGXv73btm)^19JFFK7R4=A|isy#U@PY%ny9hOcHV>%CTSiqV*&|$grWVWm_T7?g= zXy-St+*?j6t|~##nFhkn^Xd;&r@2~#ZjHo;)`Q#hi&0#v+MFJqx-Kd=1kBjDBEZGc zmnPmh#LuQnTEco+tqDy4zb}Nlx{_*Dr(fyUbwDesuPo>xFr3n)dAedwgC9uS81d z7d{w#+Cl%XchFbxXkIS!vI+F|IFIJ#ay**3#11uJy#U=i5nql|^F=O(^>QBSVi063 z;qq!2-5r({1A2DE^42!m!LTi$!xHeZfLwazNZ_9i;b@<`=Y*xcECPpG`jKF;2D)W# zo}`NKI!cS}&o6{~qi5-$P4EPJvBDGV{T%Fl@NJUymtPI`7I_`8-+3cbJnFB#F*8cU z87o_Ht&}pQyzds6oOyH4p4;m%_;y67)w?aVwvF>dJDXKCewLV$nXA~v1tb<*YThi; z=i0#Z?FmjkRyGSbSu+9;hLff1vb2_eN({EMdHeO)Ue7*e?rz>Q1I6a!uE#?AB_bBE zdc!=73`awqrioo9cym+nka#}8kCZ}!cV z9esVFM9HYgctCi7_@+Z;Jacb>IGbAY1Q5kOdNLc4`p_9B0x=clqFg24L-ht)B~O-O z_?iv{jU6T|#>ap@S9k+A%nVo=nN(Iqz|Ra!JaJbVu1ZI=AzL`b zWpm%zZOgj{Gd)z+PFIdj^%Db{CamwDW5hdmq><{nEGFH1UVrR7GL2McnQ5f(OwV1y zE4kq#`z~qj&go6|1vdG}j9`I7o`HV)hrTW@(?Fj~Whr+%fMNQbE8x%?9)pE+Q4^eO zK29V_fjb9NxiD{6%()p8_$OW`OoRx`R2E-i1dEF{crJxi<*9C+IhqwHasDI}_~<2@ zfZU8H&LR4Q@9N2|k(4T_#rllCQ7gPI3;+dRvH)Rp{%IU0GWsS#6dGf^xT%fyo(A4P z&GS9I1~!opba8;^ePVU3=vTRWp)eyEBlUFZYTrP^3LrzU#thF0eNB7$Cj4!=hBjP2 zpI&dHlAGs6XWf;&s%83d`Fvhf^Al~jBy7E2=Lv5-;f?#^4ZsgCABHzNOV8)CrxVag zli-rq_I`O&lmB^lf*#*)@kKd9zHXk6(yT8q46^h*ANr@i3@*9TT=epiO2#96U`smM z-or4snHqbQeKFHFmc^K{UJ9*BQIV1`EcOVjRP0?=h7 zwQ5&(jtSb>yn1G7OwJMH(A*lSd*c_h_aXliZP*n1wstH}r8`ksh>!*x90xpGXRrHC1uHWmIrM*aCZ-S9~E{6zZ zEve=qiUl`2sgzm(xeTBDy9RduRLoP%@Cn1;8^d?kyAO>SezRGAN}JODb4n}UPyq4s z+2|?1PHC3&nRUu~33KWY7rsJH9d>rUvr<`>6?TH(eod-hU5N6^CE6*`IG18auUb7A zDeLKbC_yBf&zb)<zfzbUy{B4 zNN~!*VY|TF^f(In8nA-VOs`qYf2Vv)}RwmC@fBbo`GsBB)QKH>=%YNuO)NnZW_nG(dyw^Ri zh($s_i{OR10GAlO?(TB@@_~Mc@RVg9r~r3DR53xahIF3A#flJW^}IKLJYvy=Y8QON z$UpO7V52m^H7z4YnpCXViLA!9kCEkYBs7I$bWF3**2=eLm@x`wf^QZSo&^0=M=F@A zfEe*@3JaeTwB$+<)K%~y`gWvbrmf3YA-+SQ5r0Gu^lGi;o?$K@9_+OkrNt=AVwBlKdrDu9w*;U{UvWQTA*!zM=8u_HuzcIlz+Evyl?+Rv{ND5Q0vaV6NJ>9bKca-J4Dwu$Z4nkz7NO92z^4cz zy|1W*yG!TZ%x8LN{DQr^{sx2eQOAgU)BqUAT)R?f31p0zj4K*JKXn*Yi$%kH9t!Ra z4Mmt--2hJCxpd$TJeGRM<3sZs8R{LFuk$DX$=u_lJh`ynkzfEo*qjX@rx3h?@s2|? z;y18(RI-)!ok?d$`>%zKSfGWC51FTH$FmM!JtAy0%oNVr#&d(tAd~unETFi{)k(*P z-39kFfsx~U`kI_F_-=5}Ukcx0ZR_AWc)vk>S2CD!+733Z-U2!!X0LGeJq&Xys+ADm zh4=a7_A zO_D<~>tg0lfk;;lL5T02&o9N?>B7u0P6iJ^$b&(U3hlI-tb^>lL{MW>j%f6wGo*7; zIfltiG))uQwKqP@4MJXdA?tZ>adx6)e(QZaMeKNkDHoaihC&kldOlBPb0%hGU@F{^ zP+UEhxfU%sb6X^oIXtF;swK$Q!^dnO|J~)oO7Gi@3>EC( zEBLWzqae)3h!iDT)2l%-BSzwpZAp>hjtI}XYhyX^*gTl(-;-mmwz3RsTMJC}*K(a( zs4a69W)2;uY=|aU@mlmppF$s zOO6nlf%4lQ0=g?>>;j?s<##Uh9 z6a1ppSDE-$6fDqIAM^Y$-uiwOp%bQ$*@9V@#v~o&)(c=KfSbpJJq9qynEuiT3lcpF z+$gQ@D2yQXpM1vKFBIt()XWxU3UAI(-1xWX+RqE_+PGFH2f9q zqUYEwoR}tCWq9-+*f+S|-2B)O3U4;bLIdH^j01!E(S3YFi7~4G$Xxc5LFrxk%9v*2asL^i~;}!NMQv8_m?o79O1jxZ$C~GOaghMcuvr|8YU^r zz!+{o(IhrTM}lXBjbI0-H=(R3xU4yi?Rj+G;)!HGtC5zhz6&odNR>x4ZBPvoG-=Rf zKn!l(^rEX)Kn~r&P%ez)2+;6|i8!FFtv|{{4Ty%;z(a*(G9q4EOjC}nPiD3kTX4Ta zg@l}^EvjTL^80d zeOo0;CKI5G8PVv^ib-?s@;JJ|Jtva;R-Vyh}IL)ywFAi^CSG>C6Yakjg;$(CT- z@(q&HD96t}7~rI=h;Ee}V8G><0t78`w6Nkg!n(HGut5KU?tf_XyA_QuNT zbh?VM*DL|XIA|<&bM=y@Ei-^($3u1vhIM0tKpY@jFa}#1CA1483GcZt8O2r4ZVb6p zaf)7Tw3;nqC76oU9MNj`e#b_6deir|j(-2N?W#kuC`QXtAX|p_$h~QVBqo zbb3wqwXEm;wQ5Wa(xC`seZztk)?r430r@1(e;ZG!xg32zBk*4?>^M z;TYC4-2{(>9*agc&%SU5Iw2a_Jy*elU!VZ4@eq~sU~ zw85E5fIN|2?!={+%ruGvFC2ud=_(vr7wH@-gnOL5id{_zL*ri`MONO)Cu0U03l zfA|1|^2evAmTFs5H6>}%<$g}X*f+*ob(d?Cezp>Sd5J&R8w_hnd^n1lmiU&#R~*n_ z)0U1RI$27*zIi@hqxmp|z6)%T_`8=7*C;tB;SHyQvgQpXwTGJy{GD|+<_Rp0>#s+j zGqrd6^I7_9i2RAKB}o!~XC*4rVi!B!M*hsuFF4$zv;wqu&mRam*^F|8xy7M*M9SPs zxwnA)HZ2Lzf+~dPYYDe7T7WR24KAMQwX@0|7902Kt7EXXweZqjlg2$&$DGbc z!7=qm3_0t`SYo-ktH^=QXj_J|io*M{#F_8b}-1^Gl7(SXj; zNlWrEX1TATNhG|O*<_2huY^!k5kf22elFLvqFP5CzldmpuM&zV<1`bKV8Y-cR}s8Q zj%5VwM#{E2&lsUORJ2yH(&{r>bhA9Vsjbg|gQID5Bl--iYm-gzUtlk)FVZIG`66j! zw>;U>VHe<#7-fOV3uE$m?$Y0?L4Kiup>b)>M#7Bv$=!lcq?0GgJj)U~Wraw!I~!?$ zS?^jXV4P(sR12_c$M(h~xYdxl8HU?231n3<$0LX@+oluc1}SuMmKIg!z4l6L>q&Gb zgM-DM+qo#}r7!^2whjh>_Z!3jI4MW(-+%mi_U7pLFQ@O1PJdfRBSNH4xuk?Jk$~`G zaviy%92U5-Ztn_e3)cD5F`^tzsi6*~nY=}3n4+y_d&f9VE7^c7A6#^u-EY0#ZpRz@ zrf#8DrRqtU=TAvDhii@7g@?;D67vXC5?G#gfEzgUek?U9_dFpI`otMpi!#8vSLDrs zj19Dozim3S=E}t|!CaCvVrj({Ob191l5YodC0OmqO)ev;v#n^VNViy`c=zM){#{nk z5y6)zO?|Pubgt1j>kNGNGX^bWw<&bavdFvp8vmF~iI25%)Uw%KY`vuNd?h{hP^9~m9kl_qPUQwyEyKqt(HTLU`5d0P`Y)s0s->;-Iy6+LO{ zkgMJwuUM)9@Z!Q|;70Sle2-Y1ojh$>1iLonsa2%I^O*!q_p~ z)hNa5gQzwa5G#e+TtHR1fR1p_TB3bd(nSULU z9!!1Usns)#K$`WO56#7m3jV!t`SWrSKkL}PV;3WUvmtU{XcnWzt?PMQ5x4Gl|Hjum zcf9;ykD|s+wi!*WpIuYRbn$4KS!EtAFHc?Ky)BZ=0-4n$_AD^B9vjzctQq_3&@&YLs_|FeY4%5S^`m<|04u02 zUu45`-XW3%e7aa%(r_0_=j$K?56Ek2Ok516Xt3z(LrJHcEa@{k|X6VnR2>*JI+Kgf4?OCMgkHPK~~PQw~)F{B7}n&M}7$*7ynCuoohgIqlo zzil{!Z2m1{KK3a{zTveopT=FudWlbWf14_G;3UZ75IvrctOq_i1zS8rdu! zQCB`{zR-!A9i76!-l;l^>*)xfp!X3IukL?7ZyhC0d+$-MF##8_}T;@T&n{TRF9RI<B7kC$mrPHz^vRwzWh9 zMwvDu8id!Jr^1|_EG&X%1OtDAy%gpNo!UNGoiq!fs1kf501B-ldmI-fk4w_ole$*f z+W3ye0)wOg+w}_dRLTdINq#T}Y@W@e4lN`44^+%K855UoL@Rn)(erqs=V1TeFM4E$ zJy*#i%{PKa4~!p2?!Y`ZNPL5}ts{5nJB`Sl`2ymbv40zl=VKgWI8f-WKXO88jWfpz zqUp10ro-DSAHE-vQ*6R^AF*MeZG~M!0;f?67s$qS=1M_1m2#FRu5PYpi}8Yz5A zaIC+Lrhaw>*L6J~QMr%n`5GOFFt~Uo&by;{P6RPEtEo^iz*9B z#Rn_6X$+_1u;1@&GN~V2Du1S7%vEE6iO1aG^1oso44~(+!JiQT@WFC1KC~Umm zM-{v}c^4?};Tq5l2Lt$>rNxv#x~y*0*Uj;OBCifcM-1~S=CwN3?eRB+ zS;gw5_GHVr>C3_J9v-8?OT8Stc)8r=V7MNS5xn2bW6zd1O-(ld%%jyPxyA0vr=6A?%UrV`7Fgc`eK*+vu@mB>HV%Dd48^+%B~f&Jy^K>>k%LiyH*LW? z1nzj0U~0t6uuw8L_&cye(FcuEF_t-|QWF(UH+ekdi-mZQN)18rpzLqneC%h}crwBg ze?gvG!qtgQ%W{jSwy?VNH^S;lUbuL6pNQgA+Qqy)M`6 zbpc1f_Jl3e_qs@N;sxHnylft%-mO1{lA|lwo!$#fRQuHUZvAfF*UN8P-nakqx_B;N z_q=c0UN>g*797zm+4wjPqHKbGo58&<>elr)z_#&`xK`^cq^tU;3V?%lKZ$~Ka4>8% z@Nc*lhJp8+!7#>w{p7>jkDu%JKj&vBQ~&4d-FEx=dw&;vdp=n|J>Gu*@1jpLzqrk~ zu*$B>(zQR0^Zcg^S7lc1nzPz&N!@#@6va+_zG!M*hdZ``PJT+l2$ zv+cd)_foC5)%EtardgNuHFsOEA3H30U9;`J!_B~oWwv(RlQy3&D0AD9HLJPb>djh} zJk^hvChe#TxxHbT-nzUamv;r`zN)%k{b0%}>9=8LE`BfAaC?$&Wm{!sv0}l|d#3x8 z!ulJtQ|jJzc2@72vhVv7E=is^$+agYed*4A#`V&Cs&Ze-}C1t_O_j>7} z*V#cmQ&ZmFD*t_V{=1!b<10eFcq{_v%Z1pKxyPEam26mXY=Lk!uPR&W>%=#KLTbw2 zwsY~8f3~_Cax&sVfy4B9Ed4xEOU-50c;;JFh*UYxQF^5GMNQ(a*tsySQ^(os6g1Dz6wGSk{LmN4mv&Fg<4M=?8=emh@2G7{-}J3Fsq4`G zp3B9bRy7?BcZgCpKPJ3gt3gzF`=p(2CCM^xE*vO%bK(WloA(|i+;y|rg$ynmCNVtj zb=4C-W@7CSSkG#Fc52GAPr}8$4BZn%I@FZfOoet&>D>G1M$yhi@(pI^ZeKFX-F|7` z)NiM~f8Xjmv$axqI%kf_D#4RaJHIC7e^%V#)iGU@cZ=9$+oYx$cjwHPdZ6)Js@wn5 z$9=4P5B&CDF5LLnHviGJ#nL=`9_J=5o^b2Y{Njk1n`IL@Bg*XdZD08F=F85`2U8b! zF5CG-+P80)(bRUgXXmzEyvEtPTc4rvcA;#B#s|)AH#YZfKe|nNWyAj;jgRKCvG*=Zvxzvr zRPbK@vkUHOo8JYq+r-MD=%$1mp213Z={4A-> z;r+H;-}jf_Z#nrQ>y7`yGyj3z3{wBX>)YfuUw91A{HpW=62h?#ax=?2K?MD9Fi725*@_+Z%!G$wr`6 zD=ZkLW^*$zyw+v_Z@U252C=H9l_;y66N`%z^HPcu@mN$0v}n%1bw_%77#MmtFf-Vp z_^DtbQ5FScG}ujni$}*3)@~2gr_3pScnNfTsunwyjj^mhOq(RR3-+7GCvj| F4*=R@rndk9 literal 0 HcmV?d00001 diff --git a/aria/operations-for-logs/8.x/inspec/CHANGELOG.md b/aria/operations-for-logs/8.x/inspec/CHANGELOG.md index 8a5ed3b8..854e59b5 100644 --- a/aria/operations-for-logs/8.x/inspec/CHANGELOG.md +++ b/aria/operations-for-logs/8.x/inspec/CHANGELOG.md @@ -1,5 +1,32 @@ # Change Log +## [8.14 Version 1 Release 4] (2024-02-21) + +#### Release Notes +- Included Photon controls locally rather than linking to the Photon content. + +- Cassandra: + - Misc. tech edits for VLIC-8X-000006,007,013,014 + - VLIC-8X-000012,016 - Removed (Check and Fix duplicated in other control) + +- Photon: + - Misc. tech edits for PHTN-40-000003,007,019,031,035,036,037,038,041,042,043,046, + 047,067,068,076,078,086,105,107,160,173,175,184,185,187,193,196,200,204,206,213, + 214,215,216,223,224,225,226,227,228,229,231,232,238,244,246 + - PHTN-40-000121 - Removed (NTP handled by Application control) + +- tc Server: + - Renamed all controls (TCSV-00- to VRLT-8X-) + - Replaced all $CATALINA_BASE and $CATALINA_HOME variables with actual paths + - Added "VMware Aria Operations for Logs" product name to control titles + - Misc. tech edits for VRLT-8X-000001,151,152 + - Removed the following controls (FIPS settings handled by Application controls): + - TCSV-00-000002,100 + - Removed the following controls (service configuration handled by script): + - TCSV-00-000037,045,048,051,088,106,134 + - Removed the following controls (auditing and updating handled by other controls): + - TCSV-00-000105,117,147,148,149 + ## [8.14 Version 1 Release 3] (2023-12-22) #### Release Notes diff --git a/aria/operations-for-logs/8.x/inspec/LICENSE b/aria/operations-for-logs/8.x/inspec/LICENSE index adda3822..0d81eaee 100644 --- a/aria/operations-for-logs/8.x/inspec/LICENSE +++ b/aria/operations-for-logs/8.x/inspec/LICENSE @@ -1,2 +1,2 @@ -Copyright 2023 VMware, Inc. +Copyright 2024 VMware, Inc. SPDX-License-Identifier: Apache-2.0 \ No newline at end of file diff --git a/aria/operations-for-logs/8.x/inspec/README.md b/aria/operations-for-logs/8.x/inspec/README.md index 042dc55a..61acc5d5 100644 --- a/aria/operations-for-logs/8.x/inspec/README.md +++ b/aria/operations-for-logs/8.x/inspec/README.md @@ -1,6 +1,6 @@ # vmware-aria-operations-for-logs-8.x-stig-baseline VMware Aria Operations for Logs 8.14 STIG Readiness Guide Chef InSpec Profile -Version: Release 1 Version 3 Date: 22 December 2023 +Version: Release 1 Version 4 Date: 21 February 2024 STIG Type: STIG Readiness Guide Maintainers: SCOPE/VMTA @@ -27,8 +27,8 @@ Example folder structure: \ariaoplogs \cassandra \controls + \photon \tcserver - \vmware-photon-4.0-stig-baseline ``` **Note - update any needed inputs in each inspec.yaml or specify them at run time.** diff --git a/aria/operations-for-logs/8.x/inspec/ariaopslogs/inspec.yml b/aria/operations-for-logs/8.x/inspec/ariaopslogs/inspec.yml index 10179382..4bdc39f7 100644 --- a/aria/operations-for-logs/8.x/inspec/ariaopslogs/inspec.yml +++ b/aria/operations-for-logs/8.x/inspec/ariaopslogs/inspec.yml @@ -1,11 +1,11 @@ -name: vRealize Log Insight Appliance 8.x Application Profile -title: vRealize Log Insight Appliance 8.x Application Profile -maintainer: VMTA -copyright: 2023 -copyright_email: stigs@vmware.com +name: VMware Aria Operations for Logs Appliance 8.x Application Profile +title: VMware Aria Operations for Logs Appliance 8.x Application Profile +maintainer: VTAE +copyright: VTAE 2024 +copyright_email: stigs@broadcom.com license: Apache-2.0 summary: An InSpec Compliance Profile -version: 1.0.3 +version: 1.0.4 inputs: - name: apipath diff --git a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000006.rb b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000006.rb index fb853e8a..2c172887 100644 --- a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000006.rb +++ b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000006.rb @@ -1,5 +1,5 @@ control 'VLIC-8X-000006' do - title 'The Aria Operations for Logs Cassandra database logs must be protected from unauthorized read access.' + title 'The VMware Aria Operations for Logs Cassandra database logs must be protected from unauthorized read access.' desc " If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. diff --git a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000007.rb b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000007.rb index 8e2b13f0..70220825 100644 --- a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000007.rb +++ b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000007.rb @@ -1,5 +1,5 @@ control 'VLIC-8X-000007' do - title 'The Aria Operations for Logs Cassandra database log configuration file must be protected from unauthorized read access.' + title 'The VMware Aria Operations for Logs Cassandra database log configuration file must be protected from unauthorized read access.' desc " Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. diff --git a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000012.rb b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000012.rb deleted file mode 100644 index 15ae5cca..00000000 --- a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000012.rb +++ /dev/null @@ -1,55 +0,0 @@ -control 'VLIC-8X-000012' do - title 'The Aria Operations for Logs Cassandra database must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.' - desc " - Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user. - - DBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research. - - The DBMS must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization). - - In the case of a database management system, this requirement covers stored procedures, functions, triggers, views, etc. - " - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # /usr/lib/loginsight/application/lib/apache-cassandra-/bin/cqlsh-no-pass -e \"SELECT role FROM system_auth.roles WHERE is_superuser = True ALLOW FILTERING;\" - - Expected result: - - role - --------- - lisuper - - (1 rows) - - If the output does not match the expected result, this is a finding. - - If no lines are returned this is NOT a finding. - " - desc 'fix', " - At the command prompt, run the following command for each unexpected user: - - # /usr/lib/loginsight/application/lib/apache-cassandra-/bin/cqlsh-no-pass -e \"DROP USER ;\" - - Note: Replace with each unexpected user returned from the check. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000378-DB-000365' - tag gid: 'V-VLIC-8X-000012' - tag rid: 'SV-VLIC-8X-000012' - tag stig_id: 'VLIC-8X-000012' - tag cci: ['CCI-001812'] - tag nist: ['CM-11 (2)'] - - describe.one do - describe command("#{input('cassandraroot')}/bin/cqlsh-no-pass -e \"SELECT role FROM system_auth.roles WHERE is_superuser = True ALLOW FILTERING;\"") do - its('stdout.strip') { should include 'lisuper' } - its('stdout.strip') { should include '(1 rows)' } - end - describe command("#{input('cassandraroot')}/bin/cqlsh-no-pass -e \"SELECT role FROM system_auth.roles WHERE is_superuser = True ALLOW FILTERING;\"") do - its('stdout.strip') { should include '(0 rows)' } - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000013.rb b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000013.rb index 628c341e..6c01574b 100644 --- a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000013.rb +++ b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000013.rb @@ -1,5 +1,5 @@ control 'VLIC-8X-000013' do - title 'The Aria Operations for Logs Cassandra database must protect the truststore file.' + title 'The VMware Aria Operations for Logs Cassandra database must protect the truststore file.' desc " Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. diff --git a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000014.rb b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000014.rb index c49ee728..a1e78235 100644 --- a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000014.rb +++ b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000014.rb @@ -1,5 +1,5 @@ control 'VLIC-8X-000014' do - title 'The Aria Operations for Logs Cassandra database must verify there are no user altered roles.' + title 'The VMware Aria Operations for Logs Cassandra database must verify there are no user altered roles.' desc 'In order to prevent unauthorized access organizations must ensure database roles are in their shipped state and have not been altered.' desc 'rationale', '' desc 'check', " @@ -18,21 +18,21 @@ If the output does not match the expected result, this is a finding. " desc 'fix', " - At the command prompt, run the following command for each unexpected \"member_of\": + At the command prompt, run the following command: - # /usr/lib/loginsight/application/lib/apache-cassandra-/bin/cqlsh-no-pass -e \"REVOKE FROM ;\" + # /usr/lib/loginsight/application/lib/apache-cassandra-/bin/cqlsh-no-pass -e \"DROP ROLE ;\" - Note: Replace and with the unexpected \"member_of\" and \"role\" values returned from the check. + Note: Replace with each unexpected role returned from the check. " impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000516-DB-000363' - tag satisfies: ['SRG-APP-000133-DB-000362'] + tag satisfies: %w(SRG-APP-000133-DB-000362 SRG-APP-000378-DB-000365 SRG-APP-000516-DB-000363) tag gid: 'V-VLIC-8X-000014' tag rid: 'SV-VLIC-8X-000014' tag stig_id: 'VLIC-8X-000014' - tag cci: %w(CCI-000366 CCI-001499) - tag nist: ['CM-5 (6)', 'CM-6 b'] + tag cci: %w(CCI-000366 CCI-001499 CCI-001812) + tag nist: ['CM-11 (2)', 'CM-5 (6)', 'CM-6 b'] describe command("#{input('cassandraroot')}/bin/cqlsh-no-pass -e \"SELECT role, can_login, member_of FROM system_auth.roles;\"") do its('stdout.strip') { should match /lisuper\s*[|]\s*True\s*[|]\s*null/ } diff --git a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000016.rb b/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000016.rb deleted file mode 100644 index 12b67325..00000000 --- a/aria/operations-for-logs/8.x/inspec/cassandra/controls/VLIC-8X-000016.rb +++ /dev/null @@ -1,40 +0,0 @@ -control 'VLIC-8X-000016' do - title 'The Aria Operations for Logs Cassandra database must verify there are no user added permissions.' - desc 'In order to prevent unauthorized access organizations must ensure database permissions are in their shipped state and have not been altered.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # /usr/lib/loginsight/application/lib/apache-cassandra-/bin/cqlsh-no-pass -e \"LIST ROLES;\" - - Expected result: - - role | super | login | options | datacenters - ---------+-------+-------+---------+------------- - lisuper | True | True | {} | ALL - - (1 rows) - - If the output does not match the expected result, this is a finding. - " - desc 'fix', " - At the command prompt, run the following command: - - # /usr/lib/loginsight/application/lib/apache-cassandra-/bin/cqlsh-no-pass -e \"DROP ROLE ;\" - - Note: Replace with each unexpected role returned from the check. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000516-DB-000363' - tag gid: 'V-VLIC-8X-000016' - tag rid: 'SV-VLIC-8X-000016' - tag stig_id: 'VLIC-8X-000016' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - - describe command("#{input('cassandraroot')}/bin/cqlsh-no-pass -e \"SELECT role FROM system_auth.roles;\"") do - its('stdout.strip') { should include 'lisuper' } - its('stdout.strip') { should include '(1 rows)' } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/cassandra/inspec.yml b/aria/operations-for-logs/8.x/inspec/cassandra/inspec.yml index 9b2e26a0..070c7d5c 100644 --- a/aria/operations-for-logs/8.x/inspec/cassandra/inspec.yml +++ b/aria/operations-for-logs/8.x/inspec/cassandra/inspec.yml @@ -1,11 +1,11 @@ -name: vRealize Log Insight Appliance 8.x Cassandra Profile -title: vRealize Log Insight Appliance 8.x Cassandra Profile -maintainer: VMTA -copyright: 2023 -copyright_email: stigs@vmware.com +name: VMware Aria Operations for Logs Appliance 8.x Cassandra Profile +title: VMware Aria Operations for Logs Appliance 8.x Cassandra Profile +maintainer: VTAE +copyright: VTAE 2024 +copyright_email: stigs@broadcom.com license: Apache-2.0 summary: An InSpec Compliance Profile -version: 1.0.3 +version: 1.0.4 inputs: - name: cassandraconfig diff --git a/aria/operations-for-logs/8.x/inspec/inspec.yml b/aria/operations-for-logs/8.x/inspec/inspec.yml index d88871e2..4639953c 100644 --- a/aria/operations-for-logs/8.x/inspec/inspec.yml +++ b/aria/operations-for-logs/8.x/inspec/inspec.yml @@ -1,17 +1,17 @@ name: vmware-aria-operations-for-logs-8.x-stig-inspec-baseline title: InSpec Wrapper Profile for VMware Aria Operations for Logs 8.x Appliances -maintainer: VMTA -copyright: 2023 -copyright_email: stigs@vmware.com +maintainer: VTAE +copyright: VTAE 2024 +copyright_email: stigs@broadcom.com license: Apache-2.0 summary: An InSpec Compliance Profile -version: 1.0.3 +version: 1.0.4 depends: - name: cassandra path: cassandra - name: photon - path: ../vmware-photon-4.0-stig-inspec-baseline + path: photon - name: tcserver path: tcserver - name: ariaopslogs diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000003.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000003.rb new file mode 100644 index 00000000..2c7c125f --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000003.rb @@ -0,0 +1,55 @@ +control 'PHTN-40-000003' do + title 'The Photon operating system must audit all account creations.' + desc 'Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit account creations: + + # auditctl -l | grep -E \"(useradd|groupadd)\" + + Example result: + + -w /usr/sbin/useradd -p x -k useradd + -w /usr/sbin/groupadd -p x -k groupadd + + If either \"useradd\" or \"groupadd\" are not listed with a permissions filter of at least \"x\", this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -w /usr/sbin/useradd -p x -k useradd + -w /usr/sbin/groupadd -p x -k groupadd + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000004-GPOS-00004' + tag satisfies: ['SRG-OS-000476-GPOS-00221'] + tag gid: 'V-PHTN-40-000003' + tag rid: 'SV-PHTN-40-000003' + tag stig_id: 'PHTN-40-000003' + tag cci: ['CCI-000018', 'CCI-000172'] + tag nist: ['AC-2 (4)', 'AU-12 c'] + + describe auditd.file('/usr/sbin/useradd') do + its('permissions') { should include ['x'] } + its('key') { should cmp 'useradd' } + end + describe auditd.file('/usr/sbin/groupadd') do + its('permissions') { should include ['x'] } + its('key') { should cmp 'groupadd' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000004.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000004.rb new file mode 100644 index 00000000..deea3452 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000004.rb @@ -0,0 +1,60 @@ +control 'PHTN-40-000004' do + title 'The Photon operating system must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.' + desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following commands to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period: + + # grep '^deny =' /etc/security/faillock.conf + + Example result: + + deny = 3 + + If the \"deny\" option is not set to \"3\" or less (but not \"0\"), is missing or commented out, this is a finding. + + # grep '^fail_interval =' /etc/security/faillock.conf + + Example result: + + fail_interval = 900 + + If the \"fail_interval\" option is not set to \"900\" or more, is missing or commented out, this is a finding. + + Note: If faillock.conf is not used to configure the \"pam_faillock.so\" module, then these options may be specified on the faillock lines in the system-auth and system-account PAM files. + " + desc 'fix', " + Navigate to and open: + + /etc/security/faillock.conf + + Add or update the following lines: + + deny = 3 + fail_interval = 900 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000021-GPOS-00005' + tag gid: 'V-PHTN-40-000004' + tag rid: 'SV-PHTN-40-000004' + tag stig_id: 'PHTN-40-000004' + tag cci: ['CCI-000044'] + tag nist: ['AC-7 a'] + + if input('useFaillockConf') + describe parse_config_file('/etc/security/faillock.conf') do + its('deny') { should cmp <= 3 } + its('deny') { should_not cmp 0 } + its('fail_interval') { should cmp >= 900 } + end + else + describe pam('/etc/pam.d/system-auth') do + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') } + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth').all_with_integer_arg('deny', '<=', 3) } + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth').all_with_integer_arg('deny', '>=', 0) } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail').all_with_integer_arg('fail_interval', '>=', 900) } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000005.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000005.rb new file mode 100644 index 00000000..9665a4eb --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000005.rb @@ -0,0 +1,97 @@ +control 'PHTN-40-000005' do + title 'The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system.' + desc " + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + + System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + + The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + + \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" + + Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + + \"I've read & consent to terms in IS user agreem't.\" + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify SSH is configured to use the /etc/issue file for a banner: + + # sshd -T|&grep -i Banner + + Example result: + + banner /etc/issue + + If the \"banner\" setting is not configured to \"/etc/issue\", this is a finding. + + Next, open /etc/issue with a text editor. + + If the file does not contain the Standard Mandatory DOD Notice and Consent Banner, this is a finding. + + Standard Mandatory DOD Notice and Consent Banner: + + \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"Banner\" line is uncommented and set to the following: + + Banner /etc/issue + + Navigate to and open: + + /etc/issue + + Ensure the file contains the Standard Mandatory DOD Notice and Consent Banner. + + \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000023-GPOS-00006' + tag satisfies: ['SRG-OS-000228-GPOS-00088'] + tag gid: 'V-PHTN-40-000005' + tag rid: 'SV-PHTN-40-000005' + tag stig_id: 'PHTN-40-000005' + tag cci: ['CCI-000048', 'CCI-001384'] + tag nist: ['AC-8 a', 'AC-8 c 1'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i Banner") do + its('stdout.strip') { should cmp 'Banner /etc/issue' } + end + bannercontent = inspec.profile.file('issue') + describe file('/etc/issue') do + its('content') { should eq bannercontent } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000007.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000007.rb new file mode 100644 index 00000000..80ee6e80 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000007.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000007' do + title 'The Photon operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.' + desc " + Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + + This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the limit for the number of concurrent sessions: + + # grep \"^[^#].*maxlogins.*\" /etc/security/limits.conf + + Example result: + + * hard maxlogins 10 + + If \"* hard maxlogins\" is not configured to \"10\", this is a finding. + + Note: The expected result may be repeated multiple times. + " + desc 'fix', " + Navigate to and open: + + /etc/security/limits.conf + + Add or update the following line: + + * hard maxlogins 10 + " + impact 0.3 + tag severity: 'low' + tag gtitle: 'SRG-OS-000027-GPOS-00008' + tag gid: 'V-PHTN-40-000007' + tag rid: 'SV-PHTN-40-000007' + tag stig_id: 'PHTN-40-000007' + tag cci: ['CCI-000054'] + tag nist: ['AC-10'] + + describe limits_conf('/etc/security/limits.conf') do + its('*') { should include ['hard', 'maxlogins', '10'] } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000012.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000012.rb new file mode 100644 index 00000000..f3061431 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000012.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000012' do + title 'The Photon operating system must monitor remote access logins.' + desc 'Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).' + desc 'rationale', '' + desc 'check', " + If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. + + At the command line, run the following command to verify rsyslog is configured to log authentication requests: + + # grep -E \"(^auth.*|^authpriv.*|^daemon.*)\" /etc/rsyslog.conf + + Example result: + + auth.*;authpriv.*;daemon.* /var/log/messages + + If \"auth.*\", \"authpriv.*\", and \"daemon.*\" are not configured to be logged, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/rsyslog.conf + + Add or update the following line: + + auth.*;authpriv.*;daemon.* /var/log/messages + + Note: The path can be substituted for another suitable log destination dedicated to authentication logs. + + At the command line, run the following command: + + # systemctl restart rsyslog.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000032-GPOS-00013' + tag gid: 'V-PHTN-40-000012' + tag rid: 'SV-PHTN-40-000012' + tag stig_id: 'PHTN-40-000012' + tag cci: ['CCI-000067'] + tag nist: ['AC-17 (1)'] + + describe command('grep -E "(^auth.*|^authpriv.*|^daemon.*)" /etc/rsyslog.conf') do + its('stdout.strip') { should match /auth\.\*;authpriv\.\*;daemon\.\*[\s]*#{input('authprivlog')}/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000013.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000013.rb new file mode 100644 index 00000000..15498070 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000013.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000013' do + title 'The Photon operating system must have the OpenSSL FIPS provider installed to protect the confidentiality of remote access sessions.' + desc " + Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. + + OpenSSH on the Photon operating system when configured appropriately can utilize a FIPS validated OpenSSL for cryptographic operations. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the OpenSSL FIPS provider is installed: + + # rpm -qa | grep openssl-fips + + Example result: + + openssl-fips-provider-3.0.3-1.ph4.x86_64 + + If there is no output indicating that the OpenSSL FIPS provider is installed, this is a finding. + " + desc 'fix', " + At the command line, run the following command: + + # tdnf install openssl-fips-provider + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000033-GPOS-00014' + tag satisfies: ['SRG-OS-000393-GPOS-00173', 'SRG-OS-000394-GPOS-00174', 'SRG-OS-000423-GPOS-00187', 'SRG-OS-000425-GPOS-00189', 'SRG-OS-000426-GPOS-00190'] + tag gid: 'V-PHTN-40-000013' + tag rid: 'SV-PHTN-40-000013' + tag stig_id: 'PHTN-40-000013' + tag cci: ['CCI-000068', 'CCI-002418', 'CCI-002420', 'CCI-002422', 'CCI-002890', 'CCI-003123'] + tag nist: ['AC-17 (2)', 'MA-4 (6)', 'SC-8', 'SC-8 (2)'] + + describe command('rpm -qa | grep openssl-fips') do + its('stdout.strip') { should match /openssl-fips-provider/ } + end + # Test whether OpenSSL is operating in FIPS mode system wide + describe command('openssl md5 /etc/ssh/sshd_config') do + its('stdout.strip') { should cmp '' } + its('stderr.strip') { should match /unsupported:crypto/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000014.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000014.rb new file mode 100644 index 00000000..aa3eb1a6 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000014.rb @@ -0,0 +1,52 @@ +control 'PHTN-40-000014' do + title 'The Photon operating system must configure auditd to log to disk.' + desc " + Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. + + Audit record content must be shipped to a central location, but it must also be logged locally. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify auditd is configured to write logs to disk: + + # grep '^write_logs' /etc/audit/auditd.conf + + Example result: + + write_logs = yes + + If there is no output, this is not a finding. + + If \"write_logs\" exists and is not configured to \"yes\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/auditd.conf + + Ensure the \"write_logs\" line is uncommented and set to the following: + + write_logs = yes + + At the command line, run the following command: + + # pkill -SIGHUP auditd + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000037-GPOS-00015' + tag gid: 'V-PHTN-40-000014' + tag rid: 'SV-PHTN-40-000014' + tag stig_id: 'PHTN-40-000014' + tag cci: ['CCI-000130'] + tag nist: ['AU-3'] + + describe.one do + describe auditd_conf do + its('write_logs') { should eq nil } + end + describe auditd_conf do + its('write_logs') { should cmp 'yes' } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000016.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000016.rb new file mode 100644 index 00000000..862ffb79 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000016.rb @@ -0,0 +1,33 @@ +control 'PHTN-40-000016' do + title 'The Photon operating system must enable the auditd service.' + desc 'Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify auditd is enabled and running: + + # systemctl status auditd + + If the service is not enabled and running, this is a finding. + " + desc 'fix', " + At the command line, run the following commands: + + # systemctl enable auditd + # systemctl start auditd + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000039-GPOS-00017' + tag satisfies: ['SRG-OS-000040-GPOS-00018', 'SRG-OS-000041-GPOS-00019', 'SRG-OS-000042-GPOS-00021', 'SRG-OS-000062-GPOS-00031', 'SRG-OS-000255-GPOS-00096', 'SRG-OS-000365-GPOS-00152'] + tag gid: 'V-PHTN-40-000016' + tag rid: 'SV-PHTN-40-000016' + tag stig_id: 'PHTN-40-000016' + tag cci: ['CCI-000132', 'CCI-000133', 'CCI-000134', 'CCI-000135', 'CCI-000169', 'CCI-001487', 'CCI-001814'] + tag nist: ['AU-12 a', 'AU-3', 'AU-3 (1)', 'CM-5 (1)'] + + describe systemd_service('auditd') do + it { should be_installed } + it { should be_enabled } + it { should be_running } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000019.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000019.rb new file mode 100644 index 00000000..9ec49408 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000019.rb @@ -0,0 +1,57 @@ +control 'PHTN-40-000019' do + title 'The Photon operating system must be configured to audit the execution of privileged functions.' + desc 'Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing all actions by superusers is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify audit rules exist to audit privileged functions: + + # auditctl -l | grep execve + + Expected result: + + -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv + -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv + -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv + -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv + + If the output does not match the expected result, this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv + -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv + -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv + -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000042-GPOS-00020' + tag satisfies: ['SRG-OS-000326-GPOS-00126'] + tag gid: 'V-PHTN-40-000019' + tag rid: 'SV-PHTN-40-000019' + tag stig_id: 'PHTN-40-000019' + tag cci: ['CCI-000135', 'CCI-002233'] + tag nist: ['AC-6 (8)', 'AU-3 (1)'] + + describe auditd do + its('lines') { should include /-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv/ } + its('lines') { should include /-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv/ } + its('lines') { should include /-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv/ } + its('lines') { should include /-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000021.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000021.rb new file mode 100644 index 00000000..1055ca0b --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000021.rb @@ -0,0 +1,52 @@ +control 'PHTN-40-000021' do + title 'The Photon operating system must alert the ISSO and SA in the event of an audit processing failure.' + desc " + It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. + + Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify auditd is configured to send an alert via syslog in the event of an audit processing failure: + + # grep -E \"^disk_full_action|^disk_error_action|^admin_space_left_action\" /etc/audit/auditd.conf + + Example result: + + admin_space_left_action = SYSLOG + disk_full_action = SYSLOG + disk_error_action = SYSLOG + + If \"disk_full_action\", \"disk_error_action\", and \"admin_space_left_action\" are not set to SYSLOG or are missing, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/auditd.conf + + Ensure the following lines are present, not duplicated, and not commented: + + disk_full_action = SYSLOG + disk_error_action = SYSLOG + admin_space_left_action = SYSLOG + + At the command line, run the following command: + + # pkill -SIGHUP auditd + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000046-GPOS-00022' + tag satisfies: ['SRG-OS-000344-GPOS-00135'] + tag gid: 'V-PHTN-40-000021' + tag rid: 'SV-PHTN-40-000021' + tag stig_id: 'PHTN-40-000021' + tag cci: ['CCI-000139', 'CCI-001858'] + tag nist: ['AU-5 (2)', 'AU-5 a'] + + describe auditd_conf do + its('disk_full_action') { should cmp 'SYSLOG' } + its('disk_error_action') { should cmp 'SYSLOG' } + its('admin_space_left_action') { should cmp 'SYSLOG' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000026.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000026.rb new file mode 100644 index 00000000..b536eccd --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000026.rb @@ -0,0 +1,55 @@ +control 'PHTN-40-000026' do + title 'The Photon operating system must protect audit logs from unauthorized access.' + desc " + Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. + + Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to find the current auditd log location: + + # grep -iw log_file /etc/audit/auditd.conf + + Example result: + + log_file = /var/log/audit/audit.log + + At the command line, run the following command using the file found in the previous step to verify auditd logs are protected from authorized access: + + # stat -c \"%n %U:%G %a\" /var/log/audit/audit.log + + Example result: + + /var/log/audit/audit.log root:root 600 + + If the audit log file does not have permissions set to \"0600\", this is a finding. + If the audit log file is not owned by root, this is a finding. + If the audit log file is not group owned by root, this is a finding. + " + desc 'fix', " + At the command line, run the following commands: + + # chmod 0600 + # chown root:root + + Replace with the target log file. + + Note: If \"log_group\" is configured in the auditd.conf file and set to something other than \"root\", the permissions changes will not be persistent. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000057-GPOS-00027' + tag satisfies: ['SRG-OS-000058-GPOS-00028', 'SRG-OS-000059-GPOS-00029'] + tag gid: 'V-PHTN-40-000026' + tag rid: 'SV-PHTN-40-000026' + tag stig_id: 'PHTN-40-000026' + tag cci: ['CCI-000162', 'CCI-000163', 'CCI-000164'] + tag nist: ['AU-9'] + + describe file(auditd_conf('/etc/audit/auditd.conf').log_file) do + its('mode') { should cmp '0600' } + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000030.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000030.rb new file mode 100644 index 00000000..2c8dd9d8 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000030.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000030' do + title 'The Photon operating system must allow only authorized users to configure the auditd service.' + desc "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify permissions on auditd configuration and rules files: + + # find /etc/audit/* -type f -exec stat -c \"%n %U:%G %a\" {} $1\\; + + If any files are returned with permissions more permissive than \"0640\", this is a finding. + If any files are returned not owned by root, this is a finding. + If any files are returned not group owned by root, this is a finding. + " + desc 'fix', " + At the command line, run the following commands: + + # chmod 0640 + # chown root:root + + Replace with the target file. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000063-GPOS-00032' + tag gid: 'V-PHTN-40-000030' + tag rid: 'SV-PHTN-40-000030' + tag stig_id: 'PHTN-40-000030' + tag cci: ['CCI-000171'] + tag nist: ['AU-12 b'] + + auditfiles = command('find /etc/audit/ -type f').stdout + if !auditfiles.empty? + auditfiles.split.each do |fname| + describe file(fname) do + it { should_not be_more_permissive_than('0640') } + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + end + end + else + describe 'No auditd configuration files found. Is auditd installed?' do + skip 'No auditd configuration files found. Is auditd installed?' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000031.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000031.rb new file mode 100644 index 00000000..d385f8e2 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000031.rb @@ -0,0 +1,59 @@ +control 'PHTN-40-000031' do + title 'The Photon operating system must generate audit records when successful/unsuccessful attempts to access privileges occur.' + desc 'The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit account creations: + + # auditctl -l | grep chmod + + Expected result: + + -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod + -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod + -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod + -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod + + If the output does not match the expected result, this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + + Note: auid!=-1, auid!=4294967295, auid!=unset are functionally equivalent in this check and the output of the above commands may be displayed in either format. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod + -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod + -a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000064-GPOS-00033' + tag satisfies: ['SRG-OS-000462-GPOS-00206', 'SRG-OS-000466-GPOS-00210', 'SRG-OS-000468-GPOS-00212', 'SRG-OS-000474-GPOS-00219'] + tag gid: 'V-PHTN-40-000031' + tag rid: 'SV-PHTN-40-000031' + tag stig_id: 'PHTN-40-000031' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] + + describe auditd do + its('lines') { should include /-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod/ } + its('lines') { should include /-a always,exit -F arch=b64 -S chmod,fchmod,chown,fchown,lchown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod/ } + its('lines') { should include /-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod/ } + its('lines') { should include /-a always,exit -F arch=b32 -S chmod,lchown,fchmod,fchown,chown,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,fchownat,fchmodat -F auid=0 -F key=perm_mod/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000035.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000035.rb new file mode 100644 index 00000000..c23a0aa0 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000035.rb @@ -0,0 +1,49 @@ +control 'PHTN-40-000035' do + title 'The Photon operating system must enforce password complexity by requiring that at least one upper-case character be used.' + desc " + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify at least one upper-case character be used: + + # grep '^ucredit' /etc/security/pwquality.conf + + Example result: + + ucredit = -1 + + If the \"ucredit\" option is not < 0, is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + ucredit = -1 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000069-GPOS-00037' + tag gid: 'V-PHTN-40-000035' + tag rid: 'SV-PHTN-40-000035' + tag stig_id: 'PHTN-40-000035' + tag cci: ['CCI-000192'] + tag nist: ['IA-5 (1) (a)'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('ucredit') { should cmp < 0 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\bucredit=-1\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000036.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000036.rb new file mode 100644 index 00000000..85185e79 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000036.rb @@ -0,0 +1,49 @@ +control 'PHTN-40-000036' do + title 'The Photon operating system must enforce password complexity by requiring that at least one lower-case character be used.' + desc " + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify at least one lower-case character be used: + + # grep '^lcredit' /etc/security/pwquality.conf + + Example result: + + lcredit = -1 + + If the \"lcredit\" option is not < 0, is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + lcredit = -1 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000070-GPOS-00038' + tag gid: 'V-PHTN-40-000036' + tag rid: 'SV-PHTN-40-000036' + tag stig_id: 'PHTN-40-000036' + tag cci: ['CCI-000193'] + tag nist: ['IA-5 (1) (a)'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('lcredit') { should cmp < 0 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\blcredit=-1\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000037.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000037.rb new file mode 100644 index 00000000..41c0ce0b --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000037.rb @@ -0,0 +1,49 @@ +control 'PHTN-40-000037' do + title 'The Photon operating system must enforce password complexity by requiring that at least one numeric character be used.' + desc " + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify at least one lower-case character be used: + + # grep '^dcredit' /etc/security/pwquality.conf + + Example result: + + dcredit = -1 + + If the \"dcredit\" option is not < 0, is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + dcredit = -1 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000071-GPOS-00039' + tag gid: 'V-PHTN-40-000037' + tag rid: 'SV-PHTN-40-000037' + tag stig_id: 'PHTN-40-000037' + tag cci: ['CCI-000194'] + tag nist: ['IA-5 (1) (a)'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('dcredit') { should cmp < 0 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\bdcredit=-1\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000038.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000038.rb new file mode 100644 index 00000000..e593a852 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000038.rb @@ -0,0 +1,51 @@ +control 'PHTN-40-000038' do + title 'The Photon operating system must require the change of at least 8 characters when passwords are changed.' + desc " + If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. + + The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. + + If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify at least one lower-case character be used: + + # grep '^difok' /etc/security/pwquality.conf + + Example result: + + difok = 8 + + If the \"difok\" option is not >= 8, is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + difok = 8 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000072-GPOS-00040' + tag gid: 'V-PHTN-40-000038' + tag rid: 'SV-PHTN-40-000038' + tag stig_id: 'PHTN-40-000038' + tag cci: ['CCI-000195'] + tag nist: ['IA-5 (1) (b)'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('difok') { should cmp >= 8 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\bdifok=8\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000039.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000039.rb new file mode 100644 index 00000000..d38e7082 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000039.rb @@ -0,0 +1,37 @@ +control 'PHTN-40-000039' do + title 'The operating system must store only encrypted representations of passwords.' + desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify passwords are stored with only encrypted representations: + + # grep ^ENCRYPT_METHOD /etc/login.defs + + Example result: + + ENCRYPT_METHOD SHA512 + + If the \"ENCRYPT_METHOD\" option is not set to \"SHA512\", is missing or commented out, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/login.defs + + Add or update the following line: + + ENCRYPT_METHOD SHA512 + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000073-GPOS-00041' + tag gid: 'V-PHTN-40-000039' + tag rid: 'SV-PHTN-40-000039' + tag stig_id: 'PHTN-40-000039' + tag cci: ['CCI-000196'] + tag nist: ['IA-5 (1) (c)'] + + describe login_defs do + its('ENCRYPT_METHOD') { should cmp 'SHA512' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000040.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000040.rb new file mode 100644 index 00000000..54bbc7f4 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000040.rb @@ -0,0 +1,30 @@ +control 'PHTN-40-000040' do + title 'The Photon operating system must not have the telnet package installed.' + desc 'Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify telnet is not installed: + + # rpm -qa | grep telnet + + If any results are returned indicating telnet is installed, this is a finding. + " + desc 'fix', " + At the command line, run the following command: + + # tdnf remove + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000074-GPOS-00042' + tag gid: 'V-PHTN-40-000040' + tag rid: 'SV-PHTN-40-000040' + tag stig_id: 'PHTN-40-000040' + tag cci: ['CCI-000197'] + tag nist: ['IA-5 (1) (c)'] + + describe command('rpm -qa | grep telnet') do + its('stdout') { should cmp '' } + its('stderr') { should cmp '' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000041.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000041.rb new file mode 100644 index 00000000..05da8a2e --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000041.rb @@ -0,0 +1,33 @@ +control 'PHTN-40-000041' do + title 'The Photon operating system must enforce 1 day as the minimum password lifetime.' + desc "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify 1 day as the minimum password lifetime: + + # grep '^PASS_MIN_DAYS' /etc/login.defs + + If \"PASS_MIN_DAYS\" is not set to 1, is missing or commented out, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/login.defs + + Add or update the following line: + + PASS_MIN_DAYS 1 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000075-GPOS-00043' + tag gid: 'V-PHTN-40-000041' + tag rid: 'SV-PHTN-40-000041' + tag stig_id: 'PHTN-40-000041' + tag cci: ['CCI-000198'] + tag nist: ['IA-5 (1) (d)'] + + describe login_defs do + its('PASS_MIN_DAYS') { should cmp '1' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000042.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000042.rb new file mode 100644 index 00000000..52dfc612 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000042.rb @@ -0,0 +1,33 @@ +control 'PHTN-40-000042' do + title 'The Photon operating systems must enforce a 90 day maximum password lifetime restriction.' + desc 'Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify a 90 day maximum password lifetime restriction: + + # grep '^PASS_MAX_DAYS' /etc/login.defs + + If \"PASS_MAX_DAYS\" is not set to <= 90, is missing or commented out, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/login.defs + + Add or update the following line: + + PASS_MAX_DAYS 90 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000076-GPOS-00044' + tag gid: 'V-PHTN-40-000042' + tag rid: 'SV-PHTN-40-000042' + tag stig_id: 'PHTN-40-000042' + tag cci: ['CCI-000199'] + tag nist: ['IA-5 (1) (d)'] + + describe login_defs do + its('PASS_MAX_DAYS') { should cmp <= '90' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000043.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000043.rb new file mode 100644 index 00000000..08e7ef49 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000043.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000043' do + title 'The Photon operating system must prohibit password reuse for a minimum of five generations.' + desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following commands to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period: + + # grep '^remember' /etc/security/pwhistory.conf + + Example result: + + remember = 5 + + If the \"remember\" option is not set to \"5\" or greater, this is a finding. + + Note: If pwhistory.conf is not used to configure the \"pam_pwhistory.so\" module, then these options may be specified on the pwhistory lines in the system-password PAM file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwhistory.conf + + Add or update the following lines: + + remember = 5 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000077-GPOS-00045' + tag gid: 'V-PHTN-40-000043' + tag rid: 'SV-PHTN-40-000043' + tag stig_id: 'PHTN-40-000043' + tag cci: ['CCI-000200'] + tag nist: ['IA-5 (1) (e)'] + + if input('useHistoryConf') + describe parse_config_file('/etc/security/pwhistory.conf') do + its('remember') { should cmp >= 5 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwhistory\.so\s+(?=.*\bremember=5\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000044.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000044.rb new file mode 100644 index 00000000..97711f51 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000044.rb @@ -0,0 +1,49 @@ +control 'PHTN-40-000044' do + title 'The Photon operating system must enforce a minimum 15-character password length.' + desc " + The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + + Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify a minimum 15-character password length: + + # grep '^minlen' /etc/security/pwquality.conf + + Example result: + + minlen = 15 + + If the \"minlen\" option is not >= 15, is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + minlen = 15 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000078-GPOS-00046' + tag gid: 'V-PHTN-40-000044' + tag rid: 'SV-PHTN-40-000044' + tag stig_id: 'PHTN-40-000044' + tag cci: ['CCI-000205'] + tag nist: ['IA-5 (1) (a)'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('minlen') { should cmp > 14 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\bminlen=15\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000046.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000046.rb new file mode 100644 index 00000000..323610c6 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000046.rb @@ -0,0 +1,77 @@ +control 'PHTN-40-000046' do + title 'The Photon operating system must require authentication upon booting into single-user and maintenance modes.' + desc " + If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all files on the system. GRUB2 is the boot loader for Photon OS and is can be configured to require a password to boot into single-user mode or make modifications to the boot menu. + + Note: Photon does not support building grub changes via grub2-mkconfig. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify a password is required to edit the grub bootloader to boot into single-user mode: + + # grep -E \"^set\\ssuperusers|^password_pbkdf2\" /boot/grub2/grub.cfg + + Example output: + + set superusers=\"root\" + password_pbkdf2 root grub.pbkdf2.sha512.[password_hash] + + If superusers is not set, this is a finding. + If a password is not set for the super user, this is a finding. + " + desc 'fix', " + Before proceeding ensure a snapshot is taken to rollback if needed. + + At the command line, run the following command to generate a grub password: + + # grub2-mkpasswd-pbkdf2 + + Enter a secure password and ensure this password is stored for break-glass situations. You will not be able to recover the root account without knowing this separate password. Copy the resulting encrypted string. + + An example string is below: + + grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 + + Note: The grub2 package must be installed to generate a password for grub. + + Navigate to and open: + + /boot/grub2/grub.cfg + + Find the line that begins with \"set rootpartition\". Below this line, paste the following on its own line: + + set superusers=\"root\" + + Note: The superusers name can be a value other than root and is not tied to an OS account. + + Below this paste the following, substituting your own encrypted string from the steps above: + + password_pbkdf2 root + + Next edit the default Photon menuentry block with the \"--unrestricted\" parameter so that it will continue to boot without prompting for credentials, for example: + + menuentry \"Photon\" --unrestricted { + linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1 + if [ -f /boot/$photon_initrd ]; then + initrd /boot/$photon_initrd + fi + } + + When booting now if you hit 'e' when the Photon splash screen appears you should be prompted for credentials before being presented the option to edit the boot loader before system startup. + + Note: Photon does not support building grub changes via grub2-mkconfig. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000080-GPOS-00048' + tag gid: 'V-PHTN-40-000046' + tag rid: 'SV-PHTN-40-000046' + tag stig_id: 'PHTN-40-000046' + tag cci: ['CCI-000213'] + tag nist: ['AC-3'] + + describe file('/boot/grub2/grub.cfg') do + its('content') { should match /^set\ssuperusers=.*$/ } + its('content') { should match /^password_pbkdf2\sroot\sgrub.pbkdf2.sha512/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000047.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000047.rb new file mode 100644 index 00000000..77a85a12 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000047.rb @@ -0,0 +1,88 @@ +control 'PHTN-40-000047' do + title 'The Photon operating system must disable unnecessary kernel modules.' + desc " + It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. + + Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). + + Examples of nonessential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the following kernel modules are not loaded: + + # modprobe --showconfig | grep \"^install\" | grep \"/bin\" + + Expected result: + + install bridge /bin/false + install sctp /bin/false + install dccp /bin/false + install dccp_ipv4 /bin/false + install dccp_ipv6 /bin/false + install ipx /bin/false + install appletalk /bin/false + install decnet /bin/false + install rds /bin/false + install tipc /bin/false + install bluetooth /bin/false + install usb_storage /bin/false + install ieee1394 /bin/false + install cramfs /bin/false + install freevxfs /bin/false + install jffs2 /bin/false + install hfs /bin/false + install hfsplus /bin/false + install squashfs /bin/false + install udf /bin/false + + The output may include other statements outside of the expected result. + + If the output does not include at least every statement in the expected result, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/modprobe.d/modprobe.conf + + Set the contents as follows: + + install bridge /bin/false + install sctp /bin/false + install dccp /bin/false + install dccp_ipv4 /bin/false + install dccp_ipv6 /bin/false + install ipx /bin/false + install appletalk /bin/false + install decnet /bin/false + install rds /bin/false + install tipc /bin/false + install bluetooth /bin/false + install usb_storage /bin/false + install ieee1394 /bin/false + install cramfs /bin/false + install freevxfs /bin/false + install jffs2 /bin/false + install hfs /bin/false + install hfsplus /bin/false + install squashfs /bin/false + install udf /bin/false + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000095-GPOS-00049' + tag satisfies: ['SRG-OS-000114-GPOS-00059'] + tag gid: 'V-PHTN-40-000047' + tag rid: 'SV-PHTN-40-000047' + tag stig_id: 'PHTN-40-000047' + tag cci: ['CCI-000381', 'CCI-000778'] + tag nist: ['CM-7 a', 'IA-3'] + + disabled_modules = input('disabled_modules') + disabled_modules.each do |mod| + describe kernel_module(mod) do + it { should be_disabled } + it { should_not be_loaded } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000049.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000049.rb new file mode 100644 index 00000000..98bb7923 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000049.rb @@ -0,0 +1,32 @@ +control 'PHTN-40-000049' do + title 'The Photon operating system must not have duplicate User IDs (UIDs).' + desc 'To ensure accountability and prevent unauthenticated access, organizational users must be uniquely identified and authenticated to prevent potential misuse and provide for nonrepudiation.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify there are no duplicate user IDs present: + + # awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd + + If any lines are returned, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/passwd + + Configure each user account that has a duplicate UID with a unique UID. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000104-GPOS-00051' + tag gid: 'V-PHTN-40-000049' + tag rid: 'SV-PHTN-40-000049' + tag stig_id: 'PHTN-40-000049' + tag cci: ['CCI-000764'] + tag nist: ['IA-2'] + + describe command('awk -F ":" \'list[$3]++{print $1, $3}\' /etc/passwd') do + its('stdout') { should cmp '' } + its('stderr') { should cmp '' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000059.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000059.rb new file mode 100644 index 00000000..95d3a91e --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000059.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000059' do + title 'The Photon operating system must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.' + desc " + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. + + Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. + + FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify system-password is configured to encrypt representations of passwords: + + # grep sha512 /etc/pam.d/system-password + + Example result: + + password required pam_unix.so sha512 shadow use_authtok + + If the \"pam_unix.so\" module is not configured with the \"sha512\" parameter, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/pam.d/system-password + + Add or update the following line: + + password required pam_unix.so sha512 shadow use_authtok + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000120-GPOS-00061' + tag gid: 'V-PHTN-40-000059' + tag rid: 'SV-PHTN-40-000059' + tag stig_id: 'PHTN-40-000059' + tag cci: ['CCI-000803'] + tag nist: ['IA-7'] + + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_unix\.so\s+(?=.*\bsha512\b).*$/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000066.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000066.rb new file mode 100644 index 00000000..1dc1e353 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000066.rb @@ -0,0 +1,58 @@ +control 'PHTN-40-000066' do + title 'The Photon operating system must enable SELinux.' + desc " + An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. + + Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For nonkernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. + + Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. Operating systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify SELinux is enabled: + + # getenforce + + Expected result: + + Enforcing + + If SELinux is not active and not in \"Enforcing\" mode, this is a finding. + + Note: The \"getenforce\" command requires the \"libselinux-utils\" package to be installed. + " + desc 'fix', " + Navigate to and open: + + /boot/grub2/grub.cfg + + Locate the boot command line arguments. An example follows: + + linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline + + Add \"security=selinux selinux=1 enforcing=1\" to the end of the line so it reads as follows: + + linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1 security=selinux selinux=1 enforcing=1 + + Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append \"security=selinux selinux=1 enforcing=1\" to it. + + Reboot the system for the change to take effect. + + Note: The selinux-policy package must be installed before these steps can be completed. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000134-GPOS-00068' + tag satisfies: ['SRG-OS-000445-GPOS-00199'] + tag gid: 'V-PHTN-40-000066' + tag rid: 'SV-PHTN-40-000066' + tag stig_id: 'PHTN-40-000066' + tag cci: ['CCI-001084', 'CCI-002696'] + tag nist: ['SC-3', 'SI-6 a'] + + describe selinux do + it { should be_installed } + it { should_not be_disabled } + it { should be_enforcing } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000067.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000067.rb new file mode 100644 index 00000000..5f7acc34 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000067.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000067' do + title 'The Photon operating system must restrict access to the kernel message buffer.' + desc 'Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify kernel message buffer restrictions are enabled: + + # /sbin/sysctl kernel.dmesg_restrict + + Example result: + + kernel.dmesg_restrict = 1 + + If the \"kernel.dmesg_restrict\" kernel parameter is not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + kernel.dmesg_restrict = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000138-GPOS-00069' + tag gid: 'V-PHTN-40-000067' + tag rid: 'SV-PHTN-40-000067' + tag stig_id: 'PHTN-40-000067' + tag cci: ['CCI-001090'] + tag nist: ['SC-4'] + + describe kernel_parameter('kernel.dmesg_restrict') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000068.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000068.rb new file mode 100644 index 00000000..489b43a2 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000068.rb @@ -0,0 +1,44 @@ +control 'PHTN-40-000068' do + title 'The Photon operating system must be configured to use TCP syncookies.' + desc "A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected and enables the system to continue servicing valid connection requests." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify TCP syncookies are enabled: + + # /sbin/sysctl net.ipv4.tcp_syncookies + + Example result: + + net.ipv4.tcp_syncookies = 1 + + If \"net.ipv4.tcp_syncookies\" is not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + net.ipv4.tcp_syncookies = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000142-GPOS-00071' + tag satisfies: ['SRG-OS-000420-GPOS-00186'] + tag gid: 'V-PHTN-40-000068' + tag rid: 'SV-PHTN-40-000068' + tag stig_id: 'PHTN-40-000068' + tag cci: ['CCI-001095', 'CCI-002385'] + tag nist: ['SC-5', 'SC-5 (2)'] + + describe kernel_parameter('net.ipv4.tcp_syncookies') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000069.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000069.rb new file mode 100644 index 00000000..310ca633 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000069.rb @@ -0,0 +1,47 @@ +control 'PHTN-40-000069' do + title 'The Photon operating system must terminate idle Secure Shell (SSH) sessions after 15 minutes.' + desc " + Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i ClientAliveInterval + + Example result: + + ClientAliveInterval 900 + + If there is no output or if \"ClientAliveInterval\" is not set to \"900\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"ClientAliveInterval\" line is uncommented and set to the following: + + ClientAliveInterval 900 + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000163-GPOS-00072' + tag satisfies: ['SRG-OS-000395-GPOS-00175'] + tag gid: 'V-PHTN-40-000069' + tag rid: 'SV-PHTN-40-000069' + tag stig_id: 'PHTN-40-000069' + tag cci: ['CCI-001133', 'CCI-002891'] + tag nist: ['MA-4 (7)', 'SC-10'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i ClientAliveInterval") do + its('stdout.strip') { should cmp 'ClientAliveInterval 900' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000073.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000073.rb new file mode 100644 index 00000000..51c3af09 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000073.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000073' do + title 'The Photon operating system /var/log directory must be restricted.' + desc " + Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. + + Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify permissions on the /var/log directory: + + # stat -c \"%n is owned by %U and group owned by %G with permissions of %a\" /var/log + + Expected result: + + /var/log is owned by root and group owned by root with permissions of 755 + + If the /var/log directory is not owned by root, this is a finding. + If the /var/log directory is not group owned by root, this is a finding. + If the /var/log directory permissions are not set to 0755 or less, this is a finding. + " + desc 'fix', " + At the command line, run the following commands: + + # chown root:root /var/log + # chmod 0755 /var/log + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000205-GPOS-00083' + tag gid: 'V-PHTN-40-000073' + tag rid: 'SV-PHTN-40-000073' + tag stig_id: 'PHTN-40-000073' + tag cci: ['CCI-001312'] + tag nist: ['SI-11 a'] + + describe directory('/var/log') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0755') } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000074.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000074.rb new file mode 100644 index 00000000..fd5d77fc --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000074.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000074' do + title 'The Photon operating system must reveal error messages only to authorized users.' + desc "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives." + desc 'rationale', '' + desc 'check', " + If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. + + At the command line, run the following command to verify rsyslog generates log files that are not world readable: + + # grep '^\\$umask' /etc/rsyslog.conf + + Example result: + + $umask 0037 + + If \"$umask\" is not set to \"0037\" or more restrictive, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/rsyslog.conf + + Add or update the following line: + + $umask 0037 + + At the command line, run the following command: + + # systemctl restart rsyslog.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000206-GPOS-00084' + tag gid: 'V-PHTN-40-000074' + tag rid: 'SV-PHTN-40-000074' + tag stig_id: 'PHTN-40-000074' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] + + describe file('/etc/rsyslog.conf') do + its('content') { should match /^\$umask\s0037$/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000076.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000076.rb new file mode 100644 index 00000000..b01e2fbb --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000076.rb @@ -0,0 +1,58 @@ +control 'PHTN-40-000076' do + title 'The Photon operating system must audit all account modifications.' + desc " + Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + + To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit account modifications: + + # auditctl -l | grep -E \"(usermod|groupmod)\" + + Example result: + + -w /usr/sbin/usermod -p x -k usermod + -w /usr/sbin/groupmod -p x -k groupmod + + If either \"usermod\" or \"groupmod\" are not listed with a permissions filter of at least \"x\", this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -w /usr/sbin/usermod -p x -k usermod + -w /usr/sbin/groupmod -p x -k groupmod + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000239-GPOS-00089' + tag gid: 'V-PHTN-40-000076' + tag rid: 'SV-PHTN-40-000076' + tag stig_id: 'PHTN-40-000076' + tag cci: ['CCI-001403'] + tag nist: ['AC-2 (4)'] + + describe auditd.file('/usr/sbin/usermod') do + its('permissions') { should include ['x'] } + its('key') { should cmp 'usermod' } + end + describe auditd.file('/usr/sbin/groupmod') do + its('permissions') { should include ['x'] } + its('key') { should cmp 'groupmod' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000078.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000078.rb new file mode 100644 index 00000000..62035507 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000078.rb @@ -0,0 +1,54 @@ +control 'PHTN-40-000078' do + title 'The Photon operating system must audit all account removal actions.' + desc 'When operating system accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the operating system processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit account removals: + + # auditctl -l | grep -E \"(userdel|groupdel)\" + + Example result: + + -w /usr/sbin/userdel -p x -k userdel + -w /usr/sbin/groupdel -p x -k groupdel + + If either \"userdel\" or \"groupdel\" are not listed with a permissions filter of at least \"x\", this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -w /usr/sbin/userdel -p x -k userdel + -w /usr/sbin/groupdel -p x -k groupdel + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000241-GPOS-00091' + tag gid: 'V-PHTN-40-000078' + tag rid: 'SV-PHTN-40-000078' + tag stig_id: 'PHTN-40-000078' + tag cci: ['CCI-001405'] + tag nist: ['AC-2 (4)'] + + describe auditd.file('/usr/sbin/userdel') do + its('permissions') { should include ['x'] } + its('key') { should cmp 'userdel' } + end + describe auditd.file('/usr/sbin/groupdel') do + its('permissions') { should include ['x'] } + its('key') { should cmp 'groupdel' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000079.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000079.rb new file mode 100644 index 00000000..a343881c --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000079.rb @@ -0,0 +1,61 @@ +control 'PHTN-40-000079' do + title 'The Photon operating system must implement only approved ciphers to protect the integrity of remote access sessions.' + desc " + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i Ciphers + + Expected result: + + ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + + If the output matches the ciphers in the expected result or a subset thereof, this is not a finding. + + If the ciphers in the output contain any ciphers not listed in the expected result, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"Ciphers\" line is uncommented and set to the following: + + Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000250-GPOS-00093' + tag gid: 'V-PHTN-40-000079' + tag rid: 'SV-PHTN-40-000079' + tag stig_id: 'PHTN-40-000079' + tag cci: ['CCI-001453'] + tag nist: ['AC-17 (2)'] + + sshdCiphers = input('sshdCiphers') + sshdcommand = input('sshdcommand') + ciphers = command("#{sshdcommand}|&grep -i Ciphers").stdout.strip.delete_prefix('ciphers ').split(',') + + if !ciphers.empty? + ciphers.each do |cipher| + describe cipher do + it { should be_in sshdCiphers } + end + end + else + describe 'No SSH ciphers found...skipping...' do + skip 'No SSH ciphers found...skipping...' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000080.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000080.rb new file mode 100644 index 00000000..fea0a3d3 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000080.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000080' do + title 'The Photon operating system must initiate session audits at system start-up.' + desc 'If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify auditing is enabled at start-up: + + # grep 'audit' /proc/cmdline + + Example result: + + BOOT_IMAGE=/boot/vmlinuz-5.10.109-2.ph4-esx root=PARTUUID=6e6293c6-9ab6-49e9-aa97-9b212f2e037a init=/lib/systemd/systemd rcupdate.rcu_expedited=1 rw systemd.show_status=1 quiet noreplace-smp cpu_init_udelay=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes audit=1 + + If the \"audit\" parameter is not present with a value of \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /boot/grub2/grub.cfg + + Locate the boot command line arguments. An example follows: + + linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline + + Add \"audit=1\" to the end of the line so it reads as follows: + + linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline audit=1 + + Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append \"audit=1\" to it. + + Reboot the system for the change to take effect. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000254-GPOS-00095' + tag gid: 'V-PHTN-40-000080' + tag rid: 'SV-PHTN-40-000080' + tag stig_id: 'PHTN-40-000080' + tag cci: ['CCI-001464'] + tag nist: ['AU-14 (1)'] + + describe command('cat /proc/cmdline') do + its('stdout.strip') { should match /audit=1/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000082.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000082.rb new file mode 100644 index 00000000..94c567b1 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000082.rb @@ -0,0 +1,81 @@ +control 'PHTN-40-000082' do + title 'The Photon operating system must protect audit tools from unauthorized access.' + desc " + Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + + Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. + + Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify permissions on audit tools: + + # stat -c \"%n is owned by %U and group owned by %G and permissions are %a\" /usr/sbin/audispd /usr/sbin/auditctl /usr/sbin/auditd /usr/sbin/aureport /usr/sbin/ausearch /usr/sbin/autrace /usr/sbin/augenrules + + Expected result: + + /usr/sbin/audispd is owned by root and group owned by root and permissions are 750 + /usr/sbin/auditctl is owned by root and group owned by root and permissions are 755 + /usr/sbin/auditd is owned by root and group owned by root and permissions are 755 + /usr/sbin/aureport is owned by root and group owned by root and permissions are 755 + /usr/sbin/ausearch is owned by root and group owned by root and permissions are 755 + /usr/sbin/autrace is owned by root and group owned by root and permissions are 755 + /usr/sbin/augenrules is owned by root and group owned by root and permissions are 750 + + If any file is not owned by root or group owned by root or permissions are more permissive than listed above, this is a finding. + " + desc 'fix', " + At the command line, run the following commands for each file returned: + + # chown root:root + # chmod 750 + + Note: Update permissions to match the target file as listed in the check text. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000256-GPOS-00097' + tag satisfies: ['SRG-OS-000257-GPOS-00098', 'SRG-OS-000258-GPOS-00099'] + tag gid: 'V-PHTN-40-000082' + tag rid: 'SV-PHTN-40-000082' + tag stig_id: 'PHTN-40-000082' + tag cci: ['CCI-001493', 'CCI-001494', 'CCI-001495'] + tag nist: ['AU-9'] + + describe file('/usr/sbin/audispd') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0750') } + end + describe file('/usr/sbin/auditctl') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0755') } + end + describe file('/usr/sbin/auditd') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0755') } + end + describe file('/usr/sbin/aureport') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0755') } + end + describe file('/usr/sbin/ausearch') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0755') } + end + describe file('/usr/sbin/autrace') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0755') } + end + describe file('/usr/sbin/augenrules') do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + it { should_not be_more_permissive_than('0750') } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000085.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000085.rb new file mode 100644 index 00000000..9a7fb477 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000085.rb @@ -0,0 +1,36 @@ +control 'PHTN-40-000085' do + title 'The Photon operating system must limit privileges to change software resident within software libraries.' + desc " + If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + + This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify software library permissions: + + # find /usr/lib/ -type f \"(\" ! -user root -o ! -group root -o -perm /022 \")\" -printf '%p, %u:%g:%m\ + ' + + If there is any output, this is a finding. + " + desc 'fix', " + At the command line, run the following commands for each file returned: + + # chown root:root + # chmod 755 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000259-GPOS-00100' + tag gid: 'V-PHTN-40-000085' + tag rid: 'SV-PHTN-40-000085' + tag stig_id: 'PHTN-40-000085' + tag cci: ['CCI-001499'] + tag nist: ['CM-5 (6)'] + + describe command("find /usr/lib/ -type f \"(\" ! -user root -o ! -group root -o -perm /022 \")\" -printf '%p, %u:%g:%m\\n'") do + its('stdout') { should cmp '' } + its('stderr') { should cmp '' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000086.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000086.rb new file mode 100644 index 00000000..cfcf64db --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000086.rb @@ -0,0 +1,51 @@ +control 'PHTN-40-000086' do + title 'The Photon operating system must enforce password complexity by requiring that at least one special character be used.' + desc " + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + + Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify at least one upper-case character be used: + + # grep '^ocredit' /etc/security/pwquality.conf + + Expected result: + + ocredit = -1 + + If the \"ocredit\" option is not < 0, is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + ocredit = -1 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000266-GPOS-00101' + tag gid: 'V-PHTN-40-000086' + tag rid: 'SV-PHTN-40-000086' + tag stig_id: 'PHTN-40-000086' + tag cci: ['CCI-001619'] + tag nist: ['IA-5 (1) (a)'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('ocredit') { should cmp < 0 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\bocredit=-1\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000092.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000092.rb new file mode 100644 index 00000000..4754826f --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000092.rb @@ -0,0 +1,44 @@ +control 'PHTN-40-000092' do + title 'The Photon operating system must use cryptographic mechanisms to protect the integrity of audit tools.' + desc " + Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. + + Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. + + It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. + + To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. + " + desc 'rationale', '' + desc 'check', " + Use the verification capability of rpm to check the MD5 hashes of the audit files on disk versus the expected ones from the installation package. + + At the command line, run the following command: + + # rpm -V audit | grep \"^..5\" + + Example output: + + S.5....T. c /etc/audit/auditd.conf + + If there is any output for files that are not configuration files, this is a finding. + " + desc 'fix', " + If the audit system binaries have been altered investigate the cause and then re-install the audit package to restore the integrity of the package. + + If performed on a VMware re-installing the audit tools is not supported. The appliance should be restored from a backup or redeployed once the root cause is remediated. + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000278-GPOS-00108' + tag gid: 'V-PHTN-40-000092' + tag rid: 'SV-PHTN-40-000092' + tag stig_id: 'PHTN-40-000092' + tag cci: ['CCI-001496'] + tag nist: ['AU-9 (3)'] + + describe command('rpm -V audit | grep "^..5" | grep -v /etc/audit/auditd.conf') do + its('stdout.strip') { should cmp '' } + its('stderr') { should cmp '' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000093.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000093.rb new file mode 100644 index 00000000..a68b9558 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000093.rb @@ -0,0 +1,50 @@ +control 'PHTN-40-000093' do + title 'The operating system must automatically terminate a user session after inactivity time-outs have expired.' + desc " + Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. + + Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. + + Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. + + This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command: + + # grep -E \"TMOUT=900\" /etc/bash.bashrc /etc/profile.d/* + + Example result: + + /etc/profile.d/tmout.sh:TMOUT=900 + + If the \"TMOUT\" environmental variable is not set, the value is more than \"900\", or is set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/profile.d/tmout.sh + + Set its content to the following: + + TMOUT=900 + readonly TMOUT + export TMOUT + mesg n 2>/dev/null + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000279-GPOS-00109' + tag satisfies: ['SRG-OS-000126-GPOS-00066'] + tag gid: 'V-PHTN-40-000093' + tag rid: 'SV-PHTN-40-000093' + tag stig_id: 'PHTN-40-000093' + tag cci: ['CCI-000879', 'CCI-002361'] + tag nist: ['AC-12', 'MA-4 e'] + + tmoutcontent = inspec.profile.file('tmout.sh') + describe file('/etc/profile.d/tmout.sh') do + its('content') { should eq tmoutcontent } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000105.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000105.rb new file mode 100644 index 00000000..3f4329df --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000105.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000105' do + title 'The Photon operating system must enable symlink access control protection in the kernel.' + desc "By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat()." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify symlink protection is enabled: + + # /sbin/sysctl fs.protected_symlinks + + Example result: + + fs.protected_symlinks = 1 + + If the \"fs.protected_symlinks\" kernel parameter is not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + fs.protected_symlinks = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000324-GPOS-00125' + tag gid: 'V-PHTN-40-000105' + tag rid: 'SV-PHTN-40-000105' + tag stig_id: 'PHTN-40-000105' + tag cci: ['CCI-002235'] + tag nist: ['AC-6 (10)'] + + describe kernel_parameter('fs.protected_symlinks') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000107.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000107.rb new file mode 100644 index 00000000..4b2cd311 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000107.rb @@ -0,0 +1,66 @@ +control 'PHTN-40-000107' do + title 'The Photon operating system must audit the execution of privileged functions.' + desc 'Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to output a list of files with setuid/setgid configured and their corresponding audit rules: + + # for file in $(find / -xdev -path /var/lib/containerd -prune -o \\( -perm -4000 -o -perm -2000 \\) -type f -print | sort); do echo \"Found file with setuid/setgid configured: $file\";rule=\"$(auditctl -l | grep \"$file \")\";echo \"Audit Rule Result: $rule\";echo \"\"; done + + Example output: + + Found file with setuid/setgid configured: /usr/bin/chage + Audit Rule Result: -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged + + Found file with setuid/setgid configured: /usr/bin/chfn + Audit Rule Result: -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged + + If each file returned does not have a corresponding audit rule, this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + + Note: auid!=-1, auid!=4294967295, auid!=unset are functionally equivalent in this check and the output of the above commands may be displayed in either format. + " + desc 'fix', " + Run the following steps for each file found in the check that does not have a corresponding line in the audit rules: + + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add the following line: + + -a always,exit -F path= -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged + + Run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000327-GPOS-00127' + tag satisfies: ['SRG-OS-000240-GPOS-00090', 'SRG-OS-000458-GPOS-00203', 'SRG-OS-000463-GPOS-00207', 'SRG-OS-000471-GPOS-00215'] + tag gid: 'V-PHTN-40-000107' + tag rid: 'SV-PHTN-40-000107' + tag stig_id: 'PHTN-40-000107' + tag cci: ['CCI-000172', 'CCI-001404', 'CCI-002234'] + tag nist: ['AC-2 (4)', 'AC-6 (9)', 'AU-12 c'] + + results = command('find / -xdev -path /var/lib/containerd -prune -o \( -perm -4000 -type f -o -perm -2000 \) -type f -print').stdout.split("\n") + if !results.empty? + results.each do |path| + describe auditd do + # -S all is added to these after they are processed + its('lines') { should include /-a always,exit -S all -F path=#{path} -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged/ } + end + end + else + describe 'No setuid files found troubleshoot command and rerun.' do + skip 'No setuid files found troubleshoot command and rerun.' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000108.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000108.rb new file mode 100644 index 00000000..f5eef604 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000108.rb @@ -0,0 +1,46 @@ +control 'PHTN-40-000108' do + title 'The Photon operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.' + desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following commands to verify accounts are locked until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made: + + # grep '^unlock_time =' /etc/security/faillock.conf + + Example result: + + unlock_time = 0 + + If the \"unlock_time\" option is not set to \"0\", is missing or commented out, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/security/faillock.conf + + Add or update the following lines: + + unlock_time = 0 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000329-GPOS-00128' + tag gid: 'V-PHTN-40-000108' + tag rid: 'SV-PHTN-40-000108' + tag stig_id: 'PHTN-40-000108' + tag cci: ['CCI-002238'] + tag nist: ['AC-7 b'] + + if input('useFaillockConf') + describe parse_config_file('/etc/security/faillock.conf') do + its('unlock_time') { should cmp 0 } + end + else + describe pam('/etc/pam.d/system-auth') do + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') } + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth').all_with_integer_arg('unlock_time', '==', 0) } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail').all_with_integer_arg('unlock_time', '==', 0) } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000110.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000110.rb new file mode 100644 index 00000000..cfd1fc0d --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000110.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000110' do + title 'The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.' + desc 'Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and setting a reasonable number of logs to keep. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify auditd is configured to keep a number of audit logs in the event of a central log processing failure: + + # grep -E \"^num_logs|^max_log_file_action\" /etc/audit/auditd.conf + + Example result: + + num_logs = 5 + max_log_file_action = ROTATE + + If \"num_logs\" is not configured to \"5\" or greater, this is a finding. + If \"max_log_file_action\" is not configured to \"ROTATE\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/auditd.conf + + Ensure the following lines are present, not duplicated, and not commented: + + num_logs = 5 + max_log_file_action = ROTATE + + At the command line, run the following command: + + # pkill -SIGHUP auditd + " + impact 0.3 + tag severity: 'low' + tag gtitle: 'SRG-OS-000341-GPOS-00132' + tag gid: 'V-PHTN-40-000110' + tag rid: 'SV-PHTN-40-000110' + tag stig_id: 'PHTN-40-000110' + tag cci: ['CCI-001849'] + tag nist: ['AU-4'] + + describe auditd_conf do + its('num_logs') { should cmp >= '5' } + its('max_log_file_action') { should cmp 'ROTATE' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000111.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000111.rb new file mode 100644 index 00000000..05a83dfb --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000111.rb @@ -0,0 +1,64 @@ +control 'PHTN-40-000111' do + title 'The Photon operating system must off-load audit records onto a different system or media from the system being audited.' + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit storage capacity. + " + desc 'rationale', '' + desc 'check', " + If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. + + At the command line, run the following command to verify audit records are off-loaded to a syslog server: + + # cat /etc/rsyslog.conf + + The output should be similar to the following where is set to the environments approved syslog server: + + *.* @;RSYSLOG_SyslogProtocol23Format + + If no line is returned or if the line is commented or no valid syslog server is specified, this is a finding. + " + desc 'fix', " + Examples are provided for UDP, TCP, and TLS configurations. Substitute the environments approved syslog server for for the protocol of choice. + + For Example: + + *.* @mysyslog.domain.local:514;RSYSLOG_SyslogProtocol23Format + + Navigate to and open: + + /etc/rsyslog.conf + + Remove any existing content and create a new remote server configuration line: + + For UDP + + *.* @;RSYSLOG_SyslogProtocol23Format + + For TCP + + *.* @@;RSYSLOG_SyslogProtocol23Format + + For TLS + + *.* @@(o);RSYSLOG_SyslogProtocol23Format + + At the command line, run the following command: + + # systemctl restart rsyslog.service + " + impact 0.3 + tag severity: 'low' + tag gtitle: 'SRG-OS-000342-GPOS-00133' + tag satisfies: ['SRG-OS-000274-GPOS-00104', 'SRG-OS-000275-GPOS-00105', 'SRG-OS-000276-GPOS-00106', 'SRG-OS-000277-GPOS-00107', 'SRG-OS-000304-GPOS-00121', 'SRG-OS-000447-GPOS-00201', 'SRG-OS-000479-GPOS-00224'] + tag gid: 'V-PHTN-40-000111' + tag rid: 'SV-PHTN-40-000111' + tag stig_id: 'PHTN-40-000111' + tag cci: ['CCI-001683', 'CCI-001684', 'CCI-001685', 'CCI-001686', 'CCI-001851', 'CCI-002132', 'CCI-002702'] + tag nist: ['AC-2 (4)', 'AU-4 (1)', 'SI-6 d'] + + describe file('/etc/rsyslog.conf') do + its('content') { should match /^\*\.\*.*#{input('syslogServer')};RSYSLOG_SyslogProtocol23Format$/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000112.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000112.rb new file mode 100644 index 00000000..697dd9db --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000112.rb @@ -0,0 +1,44 @@ +control 'PHTN-40-000112' do + title 'The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.' + desc 'If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify auditd is alerting when low disk space is detected: + + # grep '^space_left' /etc/audit/auditd.conf + + Expected result: + + space_left = 25% + space_left_action = SYSLOG + + If the output does not match the expected result, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/auditd.conf + + Ensure the \"space_left\" and \"space_left_action\" lines are uncommented and set to the following: + + space_left = 25% + space_left_action = SYSLOG + + At the command line, run the following command: + + # pkill -SIGHUP auditd + " + impact 0.3 + tag severity: 'low' + tag gtitle: 'SRG-OS-000343-GPOS-00134' + tag gid: 'V-PHTN-40-000112' + tag rid: 'SV-PHTN-40-000112' + tag stig_id: 'PHTN-40-000112' + tag cci: ['CCI-001855'] + tag nist: ['AU-5 (1)'] + + describe auditd_conf do + its('space_left') { should cmp '25%' } + its('space_left_action') { should cmp 'SYSLOG' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000127.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000127.rb new file mode 100644 index 00000000..1e34c6f2 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000127.rb @@ -0,0 +1,38 @@ +control 'PHTN-40-000127' do + title 'The Photon operating system must install AIDE to detect changes to baseline configurations.' + desc " + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + + Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following commands to verify AIDE is installed and used to monitor for file changes: + + # rpm -qa | grep '^aide' + + Example result: + + aide-0.16.2-3.ph4.x86_64 + + If AIDE is not installed, this is a finding. + " + desc 'fix', " + At the command line, run the following command: + + # tdnf install aide + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000363-GPOS-00150' + tag satisfies: ['SRG-OS-000446-GPOS-00200'] + tag gid: 'V-PHTN-40-000127' + tag rid: 'SV-PHTN-40-000127' + tag stig_id: 'PHTN-40-000127' + tag cci: ['CCI-001744', 'CCI-002699'] + tag nist: ['CM-3 (5)', 'SI-6 b'] + + describe command('rpm -qa | grep aide') do + its('stdout.strip') { should match /^aide-/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000130.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000130.rb new file mode 100644 index 00000000..a05f66a9 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000130.rb @@ -0,0 +1,46 @@ +control 'PHTN-40-000130' do + title 'The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation.' + desc 'Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify software packages are cryptographically verified during installation: + + # grep '^gpgcheck' /etc/tdnf/tdnf.conf + + Example result: + + gpgcheck=1 + + If \"gpgcheck\" is not set to \"true\", \"1\", or \"yes\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/tdnf/tdnf.conf + + Add or update the following line: + + gpgcheck=1 + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000366-GPOS-00153' + tag gid: 'V-PHTN-40-000130' + tag rid: 'SV-PHTN-40-000130' + tag stig_id: 'PHTN-40-000130' + tag cci: ['CCI-001749'] + tag nist: ['CM-5 (3)'] + + # This config file has a [main] section header at the top + describe.one do + describe parse_config_file('/etc/tdnf/tdnf.conf').params['main'] do + its('gpgcheck') { should cmp 1 } + end + describe parse_config_file('/etc/tdnf/tdnf.conf').params['main'] do + its('gpgcheck') { should cmp 'true' } + end + describe parse_config_file('/etc/tdnf/tdnf.conf').params['main'] do + its('gpgcheck') { should cmp 'yes' } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000133.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000133.rb new file mode 100644 index 00000000..addf5b61 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000133.rb @@ -0,0 +1,55 @@ +control 'PHTN-40-000133' do + title 'The Photon operating system must require users to reauthenticate for privilege escalation.' + desc " + Without re-authentication, users may access resources or perform tasks for which they do not have authorization. + + When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following commands to verify users with a set password are not allowed to sudo without re-authentication: + + # grep -ihs nopasswd /etc/sudoers /etc/sudoers.d/*|grep -vE '(^#|^%)' + + # awk -F: '($2 != \"x\" && $2 != \"!\") {print $1}' /etc/shadow + + If any account listed in the first output is also listed in the second output and is not documented, this is a finding. + " + desc 'fix', " + Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files with the following command: + + # visudo + + OR + + # visudo -f /etc/sudoers.d/ + + Remove any occurrences of \"NOPASSWD\" tags associated with user accounts with a password hash. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000373-GPOS-00156' + tag satisfies: ['SRG-OS-000373-GPOS-00157', 'SRG-OS-000373-GPOS-00158'] + tag gid: 'V-PHTN-40-000133' + tag rid: 'SV-PHTN-40-000133' + tag stig_id: 'PHTN-40-000133' + tag cci: ['CCI-002038'] + tag nist: ['IA-11'] + + # Find users in sudoers with NOPASSWD flag and extract username + results = command("awk '/NOPASSWD/ && /^[^#%].*/ {print $1}' /etc/sudoers /etc/sudoers.d/*").stdout.split("\n") + + # Compare results to shadow file to verify their password is set to ! + if !results.empty? + results.each do |result| + describe shadow.where(password: '!') do + its('users') { should include(result) } + end + end + else + impact 0.0 + describe 'No users found in sudoers with NOPASSWD flag...skipping...' do + skip 'No users found in sudoers with NOPASSWD flag...skipping...' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000160.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000160.rb new file mode 100644 index 00000000..8f044027 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000160.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000160' do + title 'The Photon operating system must implement address space layout randomization to protect its memory from unauthorized code execution.' + desc " + Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + + Examples of attacks are buffer overflow attacks. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify address space layout randomization is enabled: + + # cat /proc/sys/kernel/randomize_va_space + + If the value of \"randomize_va_space\" is not \"2\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + kernel.randomize_va_space=2 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000433-GPOS-00193' + tag gid: 'V-PHTN-40-000160' + tag rid: 'SV-PHTN-40-000160' + tag stig_id: 'PHTN-40-000160' + tag cci: ['CCI-002824'] + tag nist: ['SI-16'] + + describe kernel_parameter('kernel.randomize_va_space') do + its('value') { should cmp 2 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000161.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000161.rb new file mode 100644 index 00000000..0535353c --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000161.rb @@ -0,0 +1,46 @@ +control 'PHTN-40-000161' do + title 'The Photon operating system must remove all software components after updated versions have been installed.' + desc 'Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command: + + # grep -i '^clean_requirements_on_remove' /etc/tdnf/tdnf.conf + + Example result: + + clean_requirements_on_remove=1 + + If \"clean_requirements_on_remove\" is not set to \"true\", \"1\", or \"yes\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/tdnf/tdnf.conf + + Add or update the following line: + + clean_requirements_on_remove=1 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000437-GPOS-00194' + tag gid: 'V-PHTN-40-000161' + tag rid: 'SV-PHTN-40-000161' + tag stig_id: 'PHTN-40-000161' + tag cci: ['CCI-002617'] + tag nist: ['SI-2 (6)'] + + # This config file has a [main] section header at the top + describe.one do + describe parse_config_file('/etc/tdnf/tdnf.conf').params['main'] do + its('clean_requirements_on_remove') { should cmp 1 } + end + describe parse_config_file('/etc/tdnf/tdnf.conf').params['main'] do + its('clean_requirements_on_remove') { should cmp 'true' } + end + describe parse_config_file('/etc/tdnf/tdnf.conf').params['main'] do + its('clean_requirements_on_remove') { should cmp 'yes' } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000173.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000173.rb new file mode 100644 index 00000000..ec6f3cfb --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000173.rb @@ -0,0 +1,64 @@ +control 'PHTN-40-000173' do + title 'The Photon operating system must generate audit records when successful/unsuccessful logon attempts occur.' + desc " + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit logon attempts: + + # auditctl -l | grep -E \"faillog|lastlog|tallylog\" + + Expected result: + + -w /var/log/faillog -p wa -k logons + -w /var/log/lastlog -p wa -k logons + -w /var/log/tallylog -p wa -k logons + + If the output does not match the expected result, this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -w /var/log/faillog -p wa -k logons + -w /var/log/lastlog -p wa -k logons + -w /var/log/tallylog -p wa -k logons + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000470-GPOS-00214' + tag gid: 'V-PHTN-40-000173' + tag rid: 'SV-PHTN-40-000173' + tag stig_id: 'PHTN-40-000173' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] + + describe auditd.file('/var/log/faillog') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'logons' } + end + describe auditd.file('/var/log/lastlog') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'logons' } + end + describe auditd.file('/var/log/tallylog') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'logons' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000175.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000175.rb new file mode 100644 index 00000000..85722176 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000175.rb @@ -0,0 +1,55 @@ +control 'PHTN-40-000175' do + title 'The Photon operating system must be configured to audit the loading and unloading of dynamic kernel modules.' + desc " + Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + + Audit records can be generated from various components within the information system (e.g., module or policy filter). + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit kernel modules: + + # auditctl -l | grep init_module + + Expected result: + + -a always,exit -F arch=b32 -S init_module -F key=modules + -a always,exit -F arch=b64 -S init_module -F key=modules + + If the output does not match the expected result, this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -a always,exit -F arch=b32 -S init_module -F key=modules + -a always,exit -F arch=b64 -S init_module -F key=modules + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000471-GPOS-00216' + tag satisfies: ['SRG-OS-000477-GPOS-00222'] + tag gid: 'V-PHTN-40-000175' + tag rid: 'SV-PHTN-40-000175' + tag stig_id: 'PHTN-40-000175' + tag cci: ['CCI-000172'] + tag nist: ['AU-12 c'] + + describe auditd do + its('lines') { should include /-a always,exit -F arch=b32 -S init_module -F key=modules/ } + its('lines') { should include /-a always,exit -F arch=b64 -S init_module -F key=modules/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000182.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000182.rb new file mode 100644 index 00000000..1d2341cd --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000182.rb @@ -0,0 +1,46 @@ +control 'PHTN-40-000182' do + title 'The Photon operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' + desc 'Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify FIPS is enabled for the OS: + + # cat /proc/sys/crypto/fips_enabled + + Example result: + + 1 + + If \"fips_enabled\" is not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /boot/grub2/grub.cfg + + Locate the boot command line arguments. An example follows: + + linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline + + Add \"fips=1\" to the end of the line so it reads as follows: + + linux /boot/$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline fips=1 + + Note: Do not copy/paste in this example argument line. This may change in future releases. Find the similar line and append \"fips=1\" to it. + + Reboot the system for the change to take effect. + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000478-GPOS-00223' + tag satisfies: ['SRG-OS-000396-GPOS-00176'] + tag gid: 'V-PHTN-40-000182' + tag rid: 'SV-PHTN-40-000182' + tag stig_id: 'PHTN-40-000182' + tag cci: ['CCI-002450'] + tag nist: ['SC-13'] + + describe file('/proc/sys/crypto/fips_enabled') do + its('content') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000184.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000184.rb new file mode 100644 index 00000000..a653fef0 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000184.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000184' do + title 'The Photon operating system must prevent the use of dictionary words for passwords.' + desc 'If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify at least one upper-case character be used: + + # grep '^dictcheck' /etc/security/pwquality.conf + + Example result: + + dictcheck = 1 + + If the \"dictcheck\" option is 1, is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + dictcheck = 1 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00225' + tag gid: 'V-PHTN-40-000184' + tag rid: 'SV-PHTN-40-000184' + tag stig_id: 'PHTN-40-000184' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('dictcheck') { should cmp 1 } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\bdictcheck=1\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000185.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000185.rb new file mode 100644 index 00000000..8e55a349 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000185.rb @@ -0,0 +1,37 @@ +control 'PHTN-40-000185' do + title 'The Photon operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt in login.defs.' + desc 'Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify passwords are stored with only encrypted representations: + + # grep '^FAIL_DELAY' /etc/login.defs + + Example result: + + FAIL_DELAY 4 + + If the \"FAIL_DELAY\" option is not set to 4 or more, is missing or commented out, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/login.defs + + Add or update the following line: + + FAIL_DELAY 4 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00226' + tag gid: 'V-PHTN-40-000185' + tag rid: 'SV-PHTN-40-000185' + tag stig_id: 'PHTN-40-000185' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe login_defs do + its('FAIL_DELAY') { should cmp >= '4' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000186.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000186.rb new file mode 100644 index 00000000..8f72f225 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000186.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000186' do + title 'The Photon operating system must ensure audit events are flushed to disk at proper intervals.' + desc 'Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify auditd is configured to flush audit events to disk regularly: + + # grep -E \"freq|flush\" /etc/audit/auditd.conf + + Example result: + + flush = INCREMENTAL_ASYNC + freq = 50 + + If \"flush\" is not set to \"INCREMENTAL_ASYNC\", this is a finding. + If \"freq\" is not set to \"50\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/auditd.conf + + Add or update the following lines: + + flush = INCREMENTAL_ASYNC + freq = 50 + + At the command line, run the following command: + + # pkill -SIGHUP auditd + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000186' + tag rid: 'SV-PHTN-40-000186' + tag stig_id: 'PHTN-40-000186' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe auditd_conf do + its('flush') { should cmp 'INCREMENTAL_ASYNC' } + its('freq') { should cmp '50' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000187.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000187.rb new file mode 100644 index 00000000..9fd6bd1c --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000187.rb @@ -0,0 +1,37 @@ +control 'PHTN-40-000187' do + title 'The Photon operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.' + desc 'Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify passwords are stored with only encrypted representations: + + # grep '^UMASK' /etc/login.defs + + Expected result: + + UMASK 077 + + If the \"UMASK\" option is not set to \"077\", is missing or commented out, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/login.defs + + Add or update the following line: + + UMASK 077 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00228' + tag gid: 'V-PHTN-40-000187' + tag rid: 'SV-PHTN-40-000187' + tag stig_id: 'PHTN-40-000187' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe login_defs do + its('UMASK') { should cmp '077' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000188.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000188.rb new file mode 100644 index 00000000..78dd221b --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000188.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000188' do + title 'The Photon operating system must configure Secure Shell (SSH) to disallow HostbasedAuthentication.' + desc 'SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i HostbasedAuthentication + + Example result: + + hostbasedauthentication no + + If \"HostbasedAuthentication\" is not set to \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"HostbasedAuthentication\" line is uncommented and set to the following: + + HostbasedAuthentication no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000480-GPOS-00229' + tag gid: 'V-PHTN-40-000188' + tag rid: 'SV-PHTN-40-000188' + tag stig_id: 'PHTN-40-000188' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i HostbasedAuthentication") do + its('stdout.strip') { should cmp 'HostbasedAuthentication no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000192.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000192.rb new file mode 100644 index 00000000..8dd6897c --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000192.rb @@ -0,0 +1,68 @@ +control 'PHTN-40-000192' do + title 'The Photon operating system must be configured to use the pam_faillock.so module.' + desc " + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + + This module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following commands to verify the pam_faillock.so module is used: + + # grep '^auth' /etc/pam.d/system-auth + + Example result: + + auth required pam_faillock.so preauth + auth required pam_unix.so + auth required pam_faillock.so authfail + + If the pam_faillock.so module is not present with the \"preauth\" line listed before pam_unix.so, this is a finding. + If the pam_faillock.so module is not present with the \"authfail\" line listed after pam_unix.so, this is a finding. + + # grep '^account' /etc/pam.d/system-account + + Example result: + + account required pam_faillock.so + account required pam_unix.so + + If the pam_faillock.so module is not present and listed before pam_unix.so, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/pam.d/system-auth + + Add or update the following lines making sure to place the preauth line before the pam_unix.so module: + + auth required pam_faillock.so preauth + auth required pam_faillock.so authfail + + Navigate to and open: + + /etc/pam.d/system-account + + Add or update the following lines making sure to place the line before the pam_unix.so module: + + account required pam_faillock.so + + Note: The lines shown assume the /etc/security/faillock.conf file is used to configure pam_faillock. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000021-GPOS-00005' + tag gid: 'V-PHTN-40-000192' + tag rid: 'SV-PHTN-40-000192' + tag stig_id: 'PHTN-40-000192' + tag cci: ['CCI-000044'] + tag nist: ['AC-7 a'] + + describe file('/etc/pam.d/system-auth') do + its('content') { should match /^auth\s+(required|requisite)\s+pam_faillock\.so\s+(?=.*\bpreauth\b).*\n(^auth\s+(required|requisite)\s+pam_unix\.so.*)/ } + its('content') { should match /^auth\s+(required|requisite)\s+pam_unix\.so.*\n(^auth\s+(required|requisite|\[default=die\])\s+pam_faillock\.so\s+(?=.*\bauthfail\b).*)/ } + end + describe file('/etc/pam.d/system-account') do + its('content') { should match /^account\s+(required|requisite)\s+pam_faillock\.so.*\n(^account\s+(required|requisite)\s+pam_unix\.so.*)/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000193.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000193.rb new file mode 100644 index 00000000..fcf443f4 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000193.rb @@ -0,0 +1,52 @@ +control 'PHTN-40-000193' do + title 'The Photon operating system must prevent leaking information of the existence of a user account.' + desc " + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + + If the pam_faillock.so module is not configured to use the silent flag it could leak information about the existence or nonexistence of an user account. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify account information is not leaked during the login process: + + # grep '^silent' /etc/security/faillock.conf + + Example result: + + silent + + If the \"silent\" option is not set, is missing or commented out, this is a finding. + + Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files. + " + desc 'fix', " + Navigate to and open: + + /etc/security/faillock.conf + + Add or update the following lines: + + silent + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000021-GPOS-00005' + tag gid: 'V-PHTN-40-000193' + tag rid: 'SV-PHTN-40-000193' + tag stig_id: 'PHTN-40-000193' + tag cci: ['CCI-000044'] + tag nist: ['AC-7 a'] + + if input('useFaillockConf') + describe parse_config_file('/etc/security/faillock.conf') do + its('silent') { should_not be nil } + end + else + describe pam('/etc/pam.d/system-auth') do + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') } + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth').all_with_args('silent') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail').all_with_args('silent') } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000194.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000194.rb new file mode 100644 index 00000000..1babbdcc --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000194.rb @@ -0,0 +1,48 @@ +control 'PHTN-40-000194' do + title 'The Photon operating system must audit logon attempts for unknown users.' + desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify that audit logon attempts for unknown users is performed: + + # grep '^audit' /etc/security/faillock.conf + + Example result: + + audit + + If the \"audit\" option is not set, is missing or commented out, this is a finding. + + Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files. + " + desc 'fix', " + Navigate to and open: + + /etc/security/faillock.conf + + Add or update the following lines: + + audit + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000021-GPOS-00005' + tag gid: 'V-PHTN-40-000194' + tag rid: 'SV-PHTN-40-000194' + tag stig_id: 'PHTN-40-000194' + tag cci: ['CCI-000044'] + tag nist: ['AC-7 a'] + + if input('useFaillockConf') + describe parse_config_file('/etc/security/faillock.conf') do + its('audit') { should_not be nil } + end + else + describe pam('/etc/pam.d/system-auth') do + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') } + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth').all_with_args('audit') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail').all_with_args('audit') } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000195.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000195.rb new file mode 100644 index 00000000..161b62d8 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000195.rb @@ -0,0 +1,52 @@ +control 'PHTN-40-000195' do + title 'The Photon operating system must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.' + desc " + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + + Unless specified the root account is not included in the default faillock module options and should be included. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify accounts are locked after three consecutive invalid logon attempts by a user during a 15-minute time period includes the root account: + + # grep '^even_deny_root' /etc/security/faillock.conf + + Example result: + + even_deny_root + + If the \"even_deny_root\" option is not set, is missing or commented out, this is a finding. + + Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files. + " + desc 'fix', " + Navigate to and open: + + /etc/security/faillock.conf + + Add or update the following lines: + + even_deny_root + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000021-GPOS-00005' + tag gid: 'V-PHTN-40-000195' + tag rid: 'SV-PHTN-40-000195' + tag stig_id: 'PHTN-40-000195' + tag cci: ['CCI-000044'] + tag nist: ['AC-7 a'] + + if input('useFaillockConf') + describe parse_config_file('/etc/security/faillock.conf') do + its('even_deny_root') { should_not be nil } + end + else + describe pam('/etc/pam.d/system-auth') do + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') } + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth').all_with_args('even_deny_root') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail').all_with_args('even_deny_root') } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000196.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000196.rb new file mode 100644 index 00000000..9c67435a --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000196.rb @@ -0,0 +1,53 @@ +control 'PHTN-40-000196' do + title 'The Photon operating system must persist lockouts between system reboots.' + desc " + By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. + + By default, account lockout information is stored under /var/run/faillock and is not persistent between reboots. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify account locking persists lockouts between system reboots + + # grep '^dir' /etc/security/faillock.conf + + Example result: + + dir = /var/log/faillock + + If the \"dir\" option is set to \"/var/run/faillock\", this is a finding. + If the \"dir\" option is not set to a persistent documented faillock directory, is missing or commented out, this is a finding. + + Note: If faillock.conf is not used to configure pam_faillock.so then these options may be specified on the faillock lines in the system-auth and system-account files. + " + desc 'fix', " + Navigate to and open: + + /etc/security/faillock.conf + + Add or update the following lines: + + dir = /var/log/faillock + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000021-GPOS-00005' + tag gid: 'V-PHTN-40-000196' + tag rid: 'SV-PHTN-40-000196' + tag stig_id: 'PHTN-40-000196' + tag cci: ['CCI-000044'] + tag nist: ['AC-7 a'] + + if input('useFaillockConf') + describe parse_config_file('/etc/security/faillock.conf') do + its('dir') { should cmp '/var/log/faillock' } + end + else + describe pam('/etc/pam.d/system-auth') do + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail') } + its('lines') { should match_pam_rule('auth required pam_faillock.so preauth').all_with_args('dir=/var/log/faillock') } + its('lines') { should match_pam_rule('auth required pam_faillock.so authfail').all_with_args('dir=/var/log/faillock') } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000197.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000197.rb new file mode 100644 index 00000000..6fc19e1b --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000197.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000197' do + title 'The Photon operating system must be configured to use the pam_pwquality.so module.' + desc " + Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + + Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the pam_pwquality.so module is used: + + # grep '^password' /etc/pam.d/system-password + + Example result: + + password required pam_pwhistory.so use_authtok + password required pam_pwquality.so use_authtok + password required pam_unix.so sha512 shadow use_authtok + + If the pam_pwquality.so module is not present, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/pam.d/system-password + + Add or update the following line: + + password required pam_pwquality.so use_authtok + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000069-GPOS-00037' + tag gid: 'V-PHTN-40-000197' + tag rid: 'SV-PHTN-40-000197' + tag stig_id: 'PHTN-40-000197' + tag cci: ['CCI-000192'] + tag nist: ['IA-5 (1) (a)'] + + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+.*$/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000199.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000199.rb new file mode 100644 index 00000000..8b605542 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000199.rb @@ -0,0 +1,40 @@ +control 'PHTN-40-000199' do + title 'The Photon operating system TDNF package management tool must cryptographically verify the authenticity of all software packages during installation for all repos.' + desc 'Installation of any nontrusted software, patches, service packs, device drivers, or operating system components can significantly affect the overall security of the operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify software packages are cryptographically verified during installation: + + # grep gpgcheck /etc/yum.repos.d/* + + If \"gpgcheck\" is not set to \"1\" in any returned file, this is a finding. + " + desc 'fix', " + Open the file where \"gpgcheck\" is not set to 1 with a text editor. + + Add or update the following line: + + gpgcheck=1 + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000366-GPOS-00153' + tag gid: 'V-PHTN-40-000199' + tag rid: 'SV-PHTN-40-000199' + tag stig_id: 'PHTN-40-000199' + tag cci: ['CCI-001749'] + tag nist: ['CM-5 (3)'] + + results = command('find /etc/yum.repos.d/ -type f').stdout + if !results.empty? + results.split.each do |repofile| + describe file(repofile) do + its('content') { should match /^(?=.*?\bgpgcheck=1\b).*$/ } + end + end + else + describe 'No YUM repo files found to check.' do + skip 'No YUM repo files found to check.' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000200.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000200.rb new file mode 100644 index 00000000..bb6d1773 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000200.rb @@ -0,0 +1,51 @@ +control 'PHTN-40-000200' do + title 'The Photon operating system must configure the Secure Shell (SSH) SyslogFacility.' + desc " + Automated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities. + + Shipping sshd authentication events to syslog allows organizations to use their log aggregators to correlate forensic activities among multiple systems. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i SyslogFacility + + Example result: + + syslogfacility AUTHPRIV + + If \"syslogfacility\" is not set to \"AUTH\" or \"AUTHPRIV\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"SyslogFacility\" line is uncommented and set to the following: + + SyslogFacility AUTHPRIV + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000032-GPOS-00013' + tag gid: 'V-PHTN-40-000200' + tag rid: 'SV-PHTN-40-000200' + tag stig_id: 'PHTN-40-000200' + tag cci: ['CCI-000067'] + tag nist: ['AC-17 (1)'] + + sshdcommand = input('sshdcommand') + describe.one do + describe command("#{sshdcommand}|&grep -i SyslogFacility") do + its('stdout.strip') { should cmp 'SyslogFacility AUTHPRIV' } + end + describe command("#{sshdcommand}|&grep -i SyslogFacility") do + its('stdout.strip') { should cmp 'SyslogFacility AUTH' } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000201.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000201.rb new file mode 100644 index 00000000..084c85ed --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000201.rb @@ -0,0 +1,46 @@ +control 'PHTN-40-000201' do + title 'The Photon operating system must enable Secure Shell (SSH) authentication logging.' + desc " + Automated monitoring of remote access sessions allows organizations to detect cyberattacks and ensure ongoing compliance with remote access policies by auditing connection activities. + + The INFO LogLevel is required, at least, to ensure the capturing of failed login events. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i LogLevel + + Example result: + + loglevel INFO + + If \"LogLevel\" is not set to \"INFO\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"LogLevel\" line is uncommented and set to the following: + + LogLevel INFO + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000032-GPOS-00013' + tag gid: 'V-PHTN-40-000201' + tag rid: 'SV-PHTN-40-000201' + tag stig_id: 'PHTN-40-000201' + tag cci: ['CCI-000067'] + tag nist: ['AC-17 (1)'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i LogLevel") do + its('stdout.strip') { should cmp 'LogLevel INFO' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000203.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000203.rb new file mode 100644 index 00000000..ee87a324 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000203.rb @@ -0,0 +1,46 @@ +control 'PHTN-40-000203' do + title 'The Photon operating system must terminate idle Secure Shell (SSH) sessions.' + desc " + Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + + Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i ClientAliveCountMax + + Expected result: + + clientalivecountmax 0 + + If \"ClientAliveCountMax\" is not set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"ClientAliveCountMax\" line is uncommented and set to the following: + + ClientAliveCountMax 0 + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000163-GPOS-00072' + tag gid: 'V-PHTN-40-000203' + tag rid: 'SV-PHTN-40-000203' + tag stig_id: 'PHTN-40-000203' + tag cci: ['CCI-001133'] + tag nist: ['SC-10'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i ClientAliveCountMax") do + its('stdout.strip') { should cmp 'ClientAliveCountMax 0' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000204.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000204.rb new file mode 100644 index 00000000..e33afcb9 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000204.rb @@ -0,0 +1,71 @@ +control 'PHTN-40-000204' do + title 'The Photon operating system must audit all account modifications.' + desc " + Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. + + To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit account modifications: + + # auditctl -l | grep -E \"(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)\" + + Expected result: + + -w /etc/passwd -p wa -k passwd + -w /etc/shadow -p wa -k shadow + -w /etc/group -p wa -k group + -w /etc/gshadow -p wa -k gshadow + + If the output does not match the expected result, this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -w /etc/passwd -p wa -k passwd + -w /etc/shadow -p wa -k shadow + -w /etc/group -p wa -k group + -w /etc/gshadow -p wa -k gshadow + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000239-GPOS-00089' + tag satisfies: ['SRG-OS-000303-GPOS-00120', 'SRG-OS-000467-GPOS-00211'] + tag gid: 'V-PHTN-40-000204' + tag rid: 'SV-PHTN-40-000204' + tag stig_id: 'PHTN-40-000204' + tag cci: ['CCI-000172', 'CCI-001403', 'CCI-002130'] + tag nist: ['AC-2 (4)', 'AU-12 c'] + + describe auditd.file('/etc/passwd') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'passwd' } + end + describe auditd.file('/etc/shadow') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'shadow' } + end + describe auditd.file('/etc/group') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'group' } + end + describe auditd.file('/etc/gshadow') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'gshadow' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000206.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000206.rb new file mode 100644 index 00000000..7e5425cf --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000206.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000206' do + title 'The Photon operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.' + desc 'Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the pam_faildelay.so module is used: + + # grep '^auth' /etc/pam.d/system-auth + + Example result: + + auth required pam_faillock.so preauth + auth required pam_unix.so + auth required pam_faillock.so authfail + auth optional pam_faildelay.so delay=4000000 + + If the pam_faildelay.so module is not present with the delay set to at least 4 seconds, this is a finding. + + Note: The delay is configured in milliseconds. + " + desc 'fix', " + Navigate to and open: + + /etc/pam.d/system-auth + + Add or update the following line: + + auth optional pam_faildelay.so delay=4000000 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00226' + tag gid: 'V-PHTN-40-000206' + tag rid: 'SV-PHTN-40-000206' + tag stig_id: 'PHTN-40-000206' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe file('/etc/pam.d/system-auth') do + its('content') { should match /^auth\s+(required|requisite|optional)\s+pam_faildelay\.so\s+(?=.*\bdelay=4000000\b).*$/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000207.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000207.rb new file mode 100644 index 00000000..7a7b8e6a --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000207.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000207' do + title 'The Photon operating system must configure Secure Shell (SSH) to disallow authentication with an empty password.' + desc 'Blank passwords are one of the first things an attacker checks for when probing a system. Even if the user somehow has a blank password on the OS, SSH must not allow that user to log in.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i PermitEmptyPasswords + + Example result: + + permitemptypasswords no + + If \"PermitEmptyPasswords\" is not set to \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"PermitEmptyPasswords\" line is uncommented and set to the following: + + PermitEmptyPasswords no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000480-GPOS-00229' + tag gid: 'V-PHTN-40-000207' + tag rid: 'SV-PHTN-40-000207' + tag stig_id: 'PHTN-40-000207' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i PermitEmptyPasswords") do + its('stdout.strip') { should cmp 'PermitEmptyPasswords no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000208.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000208.rb new file mode 100644 index 00000000..a3a4d185 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000208.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000208' do + title 'The Photon operating system must configure Secure Shell (SSH) to disable user environment processing.' + desc 'Enabling user environment processing may enable users to bypass access restrictions in some configurations and must therefore be disabled.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i PermitUserEnvironment + + Example result: + + permituserenvironment no + + If \"PermitUserEnvironment\" is not set to \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"PermitUserEnvironment\" line is uncommented and set to the following: + + PermitUserEnvironment no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000480-GPOS-00229' + tag gid: 'V-PHTN-40-000208' + tag rid: 'SV-PHTN-40-000208' + tag stig_id: 'PHTN-40-000208' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i PermitUserEnvironment") do + its('stdout.strip') { should cmp 'PermitUserEnvironment no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000209.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000209.rb new file mode 100644 index 00000000..47d480ea --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000209.rb @@ -0,0 +1,37 @@ +control 'PHTN-40-000209' do + title 'The Photon operating system must create a home directory for all new local interactive user accounts.' + desc 'If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify a home directory is created for all new user accounts: + + # grep '^CREATE_HOME' /etc/login.defs + + Example result: + + CREATE_HOME yes + + If the \"CREATE_HOME\" option is not set to \"yes\", is missing or commented out, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/login.defs + + Add or update the following line: + + CREATE_HOME yes + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000209' + tag rid: 'SV-PHTN-40-000209' + tag stig_id: 'PHTN-40-000209' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe login_defs do + its('CREATE_HOME') { should cmp 'yes' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000210.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000210.rb new file mode 100644 index 00000000..ac0bbc13 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000210.rb @@ -0,0 +1,31 @@ +control 'PHTN-40-000210' do + title 'The Photon operating system must disable the debug-shell service.' + desc 'The debug-shell service is intended to diagnose systemd related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9. This service must remain disabled until and unless otherwise directed by VMware support.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the debug-shell service is disabled: + + # systemctl status debug-shell.service + + If the debug-shell service is not stopped and disabled, this is a finding. + " + desc 'fix', " + At the command line, run the following commands: + + # systemctl stop debug-shell.service + # systemctl disable debug-shell.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000210' + tag rid: 'SV-PHTN-40-000210' + tag stig_id: 'PHTN-40-000210' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe systemd_service('debug-shell.service') do + it { should_not be_enabled } + it { should_not be_running } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000211.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000211.rb new file mode 100644 index 00000000..9146de31 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000211.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000211' do + title 'The Photon operating system must configure Secure Shell (SSH) to disallow Generic Security Service Application Program Interface (GSSAPI) authentication.' + desc "GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through Secure Shell (SSH) exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i GSSAPIAuthentication + + Example result: + + gssapiauthentication no + + If \"GSSAPIAuthentication\" is not set to \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"GSSAPIAuthentication\" line is uncommented and set to the following: + + GSSAPIAuthentication no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000211' + tag rid: 'SV-PHTN-40-000211' + tag stig_id: 'PHTN-40-000211' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i GSSAPIAuthentication") do + its('stdout.strip') { should cmp 'GSSAPIAuthentication no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000212.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000212.rb new file mode 100644 index 00000000..fa7465f1 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000212.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000212' do + title 'The Photon operating system must configure Secure Shell (SSH) to disable X11 forwarding.' + desc 'X11 is an older, insecure graphics forwarding protocol. It is not used by Photon and should be disabled as a general best practice to limit attack surface area and communication channels.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i X11Forwarding + + Example result: + + x11forwarding no + + If \"X11Forwarding\" is not set to \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"X11Forwarding\" line is uncommented and set to the following: + + X11Forwarding no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000212' + tag rid: 'SV-PHTN-40-000212' + tag stig_id: 'PHTN-40-000212' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i X11Forwarding") do + its('stdout.strip') { should cmp 'X11Forwarding no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000213.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000213.rb new file mode 100644 index 00000000..f76baeb9 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000213.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000213' do + title 'The Photon operating system must configure Secure Shell (SSH) to perform strict mode checking of home directory configuration files.' + desc 'If other users have access to modify user-specific Secure Shell (SSH) configuration files, they may be able to log on to the system as another user.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i StrictModes + + Example result: + + strictmodes yes + + If \"StrictModes\" is not set to \"yes\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"StrictModes\" line is uncommented and set to the following: + + StrictModes yes + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000213' + tag rid: 'SV-PHTN-40-000213' + tag stig_id: 'PHTN-40-000213' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i StrictModes") do + its('stdout.strip') { should cmp 'StrictModes yes' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000214.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000214.rb new file mode 100644 index 00000000..351540de --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000214.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000214' do + title 'The Photon operating system must configure Secure Shell (SSH) to disallow Kerberos authentication.' + desc "If Kerberos is enabled through Secure Shell (SSH), sshd provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i KerberosAuthentication + + Example result: + + kerberosauthentication no + + If \"KerberosAuthentication\" is not set to \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"KerberosAuthentication\" line is uncommented and set to the following: + + KerberosAuthentication no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000214' + tag rid: 'SV-PHTN-40-000214' + tag stig_id: 'PHTN-40-000214' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i KerberosAuthentication") do + its('stdout.strip') { should cmp 'KerberosAuthentication no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000215.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000215.rb new file mode 100644 index 00000000..09b60f49 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000215.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000215' do + title 'The Photon operating system must configure Secure Shell (SSH) to disallow compression of the encrypted session stream.' + desc 'If compression is allowed in a Secure Shell (SSH) connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i Compression + + Example result: + + compression no + + If there is no output or if \"Compression\" is not set to \"delayed\" or \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"Compression\" line is uncommented and set to the following: + + Compression no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000215' + tag rid: 'SV-PHTN-40-000215' + tag stig_id: 'PHTN-40-000215' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i Compression") do + its('stdout.strip') { should cmp 'Compression no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000216.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000216.rb new file mode 100644 index 00000000..3e276630 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000216.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000216' do + title 'The Photon operating system must configure Secure Shell (SSH) to display the last login immediately after authentication.' + desc 'Providing users with feedback on the last time they logged on via Secure Shell (SSH) facilitates user recognition and reporting of unauthorized account use.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i PrintLastLog + + Example result: + + printlastlog yes + + If \"PrintLastLog\" is not set to \"yes\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"PrintLastLog\" line is uncommented and set to the following: + + PrintLastLog yes + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000216' + tag rid: 'SV-PHTN-40-000216' + tag stig_id: 'PHTN-40-000216' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i PrintLastLog") do + its('stdout.strip') { should cmp 'PrintLastLog yes' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000217.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000217.rb new file mode 100644 index 00000000..6fcbf645 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000217.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000217' do + title 'The Photon operating system must configure Secure Shell (SSH) to ignore user-specific trusted hosts lists.' + desc 'SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines, which must also be ignored while disabling host-based authentication generally.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i IgnoreRhosts + + Example result: + + ignorerhosts yes + + If \"IgnoreRhosts\" is not set to \"yes\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"IgnoreRhosts\" line is uncommented and set to the following: + + IgnoreRhosts yes + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000217' + tag rid: 'SV-PHTN-40-000217' + tag stig_id: 'PHTN-40-000217' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i IgnoreRhosts") do + its('stdout.strip') { should cmp 'IgnoreRhosts yes' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000218.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000218.rb new file mode 100644 index 00000000..c88f9455 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000218.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000218' do + title 'The Photon operating system must configure Secure Shell (SSH) to ignore user-specific known_host files.' + desc 'SSH trust relationships enable trivial lateral spread after a host compromise and therefore must be explicitly disabled. Individual users can have a local list of trusted remote machines which must also be ignored while disabling host-based authentication generally.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i IgnoreUserKnownHosts + + Expected result: + + ignoreuserknownhosts yes + + If \"IgnoreUserKnownHosts\" is not set to \"yes\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"IgnoreUserKnownHosts\" line is uncommented and set to the following: + + IgnoreUserKnownHosts yes + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000218' + tag rid: 'SV-PHTN-40-000218' + tag stig_id: 'PHTN-40-000218' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i IgnoreUserKnownHosts") do + its('stdout.strip') { should cmp 'IgnoreUserKnownHosts yes' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000219.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000219.rb new file mode 100644 index 00000000..56346b18 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000219.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000219' do + title 'The Photon operating system must configure Secure Shell (SSH) to limit the number of allowed login attempts per connection.' + desc 'By setting the login attempt limit to a low value, an attacker will be forced to reconnect frequently, which severely limits the speed and effectiveness of brute-force attacks.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i MaxAuthTries + + Example result: + + maxauthtries 6 + + If \"MaxAuthTries\" is not set to \"6\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"MaxAuthTries\" line is uncommented and set to the following: + + MaxAuthTries 6 + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000219' + tag rid: 'SV-PHTN-40-000219' + tag stig_id: 'PHTN-40-000219' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i MaxAuthTries") do + its('stdout.strip') { should cmp 'MaxAuthTries 6' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000220.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000220.rb new file mode 100644 index 00000000..073f9b88 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000220.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000220' do + title 'The Photon operating system must configure Secure Shell (SSH) to restrict AllowTcpForwarding.' + desc 'While enabling TCP tunnels is a valuable function of sshd, this feature is not appropriate for use on single purpose appliances.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i AllowTcpForwarding + + Example result: + + allowtcpforwarding no + + If \"AllowTcpForwarding\" is not set to \"no\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"AllowTcpForwarding\" line is uncommented and set to the following: + + AllowTcpForwarding no + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000220' + tag rid: 'SV-PHTN-40-000220' + tag stig_id: 'PHTN-40-000220' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i AllowTcpForwarding") do + its('stdout.strip') { should cmp 'AllowTcpForwarding no' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000221.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000221.rb new file mode 100644 index 00000000..a239b9b0 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000221.rb @@ -0,0 +1,42 @@ +control 'PHTN-40-000221' do + title 'The Photon operating system must configure Secure Shell (SSH) to restrict LoginGraceTime.' + desc 'By default, SSH unauthenticated connections are left open for two minutes before being closed. This setting is too permissive as no legitimate login would need such an amount of time to complete a login. Quickly terminating idle or incomplete login attempts will free up resources and reduce the exposure any partial logon attempts may create.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i LoginGraceTime + + Example result: + + logingracetime 30 + + If \"LoginGraceTime\" is not set to \"30\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"LoginGraceTime\" line is uncommented and set to the following: + + LoginGraceTime 30 + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000221' + tag rid: 'SV-PHTN-40-000221' + tag stig_id: 'PHTN-40-000221' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + sshdcommand = input('sshdcommand') + describe command("#{sshdcommand}|&grep -i LoginGraceTime") do + its('stdout.strip') { should cmp 'LoginGraceTime 30' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000222.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000222.rb new file mode 100644 index 00000000..301c041a --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000222.rb @@ -0,0 +1,44 @@ +control 'PHTN-40-000222' do + title 'The Photon operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.' + desc 'When the Ctrl-Alt-Del target is enabled, a locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of systems availability due to unintentional reboot.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the ctrl-alt-del target is disabled and masked: + + # systemctl status ctrl-alt-del.target --no-pager + + Example output: + + ctrl-alt-del.target + \tLoaded: masked (Reason: Unit ctrl-alt-del.target is masked.) + \tActive: inactive (dead) + + If the \"ctrl-alt-del.target\" is not \"inactive\" and \"masked\", this is a finding. + " + desc 'fix', " + At the command line, run the following commands: + + # systemctl disable ctrl-alt-del.target + # systemctl mask ctrl-alt-del.target + # systemctl daemon-reload + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000222' + tag rid: 'SV-PHTN-40-000222' + tag stig_id: 'PHTN-40-000222' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe systemd_service('ctrl-alt-del.target') do + it { should_not be_enabled } + it { should_not be_running } + end + describe systemd_service('ctrl-alt-del.target').params['LoadState'] do + it { should cmp 'masked' } + end + describe systemd_service('ctrl-alt-del.target').params['UnitFileState'] do + it { should cmp 'masked' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000223.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000223.rb new file mode 100644 index 00000000..b2e703e3 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000223.rb @@ -0,0 +1,62 @@ +control 'PHTN-40-000223' do + title 'The Photon operating system must not forward IPv4 or IPv6 source-routed packets.' + desc " + Source routing is an Internet Protocol mechanism that allows an IP packet to carry information, a list of addresses, that tells a router the path the packet must take. There is also an option to record the hops as the route is traversed. + + The list of hops taken, the \"route record\", provides the destination with a return path to the source. This allows the source (the sending host) to specify the route, loosely or strictly, ignoring the routing tables of some or all of the routers. It can allow a user to redirect network traffic for malicious purposes and should therefore be disabled. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify source-routed packets are not forwarded: + + # /sbin/sysctl -a --pattern \"net.ipv[4|6].conf.(all|default).accept_source_route\" + + Expected result: + + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + net.ipv6.conf.all.accept_source_route = 0 + net.ipv6.conf.default.accept_source_route = 0 + + If the \"accept_source_route\" kernel parameters are not set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following lines: + + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 + net.ipv6.conf.all.accept_source_route = 0 + net.ipv6.conf.default.accept_source_route = 0 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000223' + tag rid: 'SV-PHTN-40-000223' + tag stig_id: 'PHTN-40-000223' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do + its('value') { should cmp 0 } + end + describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do + its('value') { should cmp 0 } + end + describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do + its('value') { should cmp 0 } + end + describe kernel_parameter('net.ipv6.conf.default.accept_source_route') do + its('value') { should cmp 0 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000224.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000224.rb new file mode 100644 index 00000000..606c4a57 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000224.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000224' do + title 'The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.' + desc 'Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify ICMP echoes sent to a broadcast address are ignored: + + # /sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts + + Example result: + + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + If the \"net.ipv4.icmp_echo_ignore_broadcasts\" kernel parameter is not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + net.ipv4.icmp_echo_ignore_broadcasts = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000224' + tag rid: 'SV-PHTN-40-000224' + tag stig_id: 'PHTN-40-000224' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000225.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000225.rb new file mode 100644 index 00000000..57ccb924 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000225.rb @@ -0,0 +1,48 @@ +control 'PHTN-40-000225' do + title 'The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.' + desc "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify ICMP redirects are not accepted: + + # /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).accept_redirects\" + + Expected result: + + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + + If the \"accept_redirects\" kernel parameters are not set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following lines: + + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.default.accept_redirects = 0 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000225' + tag rid: 'SV-PHTN-40-000225' + tag stig_id: 'PHTN-40-000225' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do + its('value') { should cmp 0 } + end + describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do + its('value') { should cmp 0 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000226.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000226.rb new file mode 100644 index 00000000..6f2817e7 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000226.rb @@ -0,0 +1,48 @@ +control 'PHTN-40-000226' do + title 'The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted.' + desc "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify ICMP secure redirects are not accepted: + + # /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).secure_redirects\" + + Expected result: + + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + If the \"secure_redirects\" kernel parameters are not set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following lines: + + net.ipv4.conf.all.secure_redirects = 0 + net.ipv4.conf.default.secure_redirects = 0 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000226' + tag rid: 'SV-PHTN-40-000226' + tag stig_id: 'PHTN-40-000226' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.conf.all.secure_redirects') do + its('value') { should cmp 0 } + end + describe kernel_parameter('net.ipv4.conf.default.secure_redirects') do + its('value') { should cmp 0 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000227.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000227.rb new file mode 100644 index 00000000..972b5223 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000227.rb @@ -0,0 +1,48 @@ +control 'PHTN-40-000227' do + title 'The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects.' + desc "ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology." + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify ICMP send redirects are not accepted: + + # /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).send_redirects\" + + Expected result: + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + If the \"send_redirects\" kernel parameters are not set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following lines: + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000227' + tag rid: 'SV-PHTN-40-000227' + tag stig_id: 'PHTN-40-000227' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.conf.all.send_redirects') do + its('value') { should cmp 0 } + end + describe kernel_parameter('net.ipv4.conf.default.send_redirects') do + its('value') { should cmp 0 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000228.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000228.rb new file mode 100644 index 00000000..5f00c80f --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000228.rb @@ -0,0 +1,48 @@ +control 'PHTN-40-000228' do + title 'The Photon operating system must log IPv4 packets with impossible addresses.' + desc 'The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify martian packets are logged: + + # /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).log_martians\" + + Expected result: + + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + If the \"log_martians\" kernel parameters are not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following lines: + + net.ipv4.conf.all.log_martians = 1 + net.ipv4.conf.default.log_martians = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000228' + tag rid: 'SV-PHTN-40-000228' + tag stig_id: 'PHTN-40-000228' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.conf.all.log_martians') do + its('value') { should cmp 1 } + end + describe kernel_parameter('net.ipv4.conf.default.log_martians') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000229.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000229.rb new file mode 100644 index 00000000..ad8964a8 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000229.rb @@ -0,0 +1,48 @@ +control 'PHTN-40-000229' do + title 'The Photon operating system must use a reverse-path filter for IPv4 network traffic.' + desc 'Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems that are routers for complicated networks but is helpful for end hosts and routers serving small networks.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify IPv4 traffic is using a reverse path filter: + + # /sbin/sysctl -a --pattern \"net.ipv4.conf.(all|default).rp_filter\" + + Expected result: + + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + + If the \"rp_filter\" kernel parameters are not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following lines: + + net.ipv4.conf.all.rp_filter = 1 + net.ipv4.conf.default.rp_filter = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000229' + tag rid: 'SV-PHTN-40-000229' + tag stig_id: 'PHTN-40-000229' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.conf.all.rp_filter') do + its('value') { should cmp 1 } + end + describe kernel_parameter('net.ipv4.conf.default.rp_filter') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000231.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000231.rb new file mode 100644 index 00000000..74f3b7a3 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000231.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000231' do + title 'The Photon operating system must not perform IPv4 packet forwarding.' + desc 'Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.' + desc 'rationale', '' + desc 'check', " + If IP forwarding is required, for example if Kubernetes is installed, this is Not Applicable. + + At the command line, run the following command to verify packet forwarding it disabled: + + # /sbin/sysctl net.ipv4.ip_forward + + Expected result: + + net.ipv4.ip_forward = 0 + + If the \"net.ipv4.ip_forward\" kernel parameter is not set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + net.ipv4.ip_forward = 0 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000231' + tag rid: 'SV-PHTN-40-000231' + tag stig_id: 'PHTN-40-000231' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.ip_forward') do + its('value') { should cmp 0 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000232.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000232.rb new file mode 100644 index 00000000..3f45e7f6 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000232.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000232' do + title 'The Photon operating system must send TCP timestamps.' + desc 'TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps. These calculated uptimes can help a bad actor in determining likely patch levels for vulnerabilities.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify TCP timestamps are enabled: + + # /sbin/sysctl net.ipv4.tcp_timestamps + + Expected result: + + net.ipv4.tcp_timestamps = 1 + + If the \"net.ipv4.tcp_timestamps\" kernel parameter is not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + net.ipv4.tcp_timestamps = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000232' + tag rid: 'SV-PHTN-40-000232' + tag stig_id: 'PHTN-40-000232' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('net.ipv4.tcp_timestamps') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000233.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000233.rb new file mode 100644 index 00000000..0c0357d5 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000233.rb @@ -0,0 +1,50 @@ +control 'PHTN-40-000233' do + title 'The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification.' + desc 'If a public host key file is modified by an unauthorized user, the SSH service may be compromised.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command: + + # stat -c \"%n permissions are %a and owned by %U:%G\" /etc/ssh/*key.pub + + Example result: + + /etc/ssh/ssh_host_dsa_key.pub permissions are 644 and owned by root:root + /etc/ssh/ssh_host_ecdsa_key.pub permissions are 644 and owned by root:root + /etc/ssh/ssh_host_ed25519_key.pub permissions are 644 and owned by root:root + /etc/ssh/ssh_host_rsa_key.pub permissions are 644 and owned by root:root + + If any \"key.pub\" file listed is not owned by root or not group owned by root or does not have permissions of \"0644\", this is a finding. + " + desc 'fix', " + At the command line, run the following commands for each returned file: + + # chmod 644 + # chown root:root + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000233' + tag rid: 'SV-PHTN-40-000233' + tag stig_id: 'PHTN-40-000233' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + results = command('find /etc/ssh/ -maxdepth 1 -name "*key.pub"').stdout + + if !results.empty? + results.split.each do |fname| + describe file(fname) do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + its('mode') { should cmp '0644' } + end + end + else + describe 'No SSH public keys found to process.' do + skip 'No SSH pucblic keys found to process.' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000234.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000234.rb new file mode 100644 index 00000000..3b986a42 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000234.rb @@ -0,0 +1,50 @@ +control 'PHTN-40-000234' do + title 'The Photon operating system must be configured to protect the Secure Shell (SSH) private host key from unauthorized access.' + desc 'If an unauthorized user obtains the private SSH host key file, the host could be impersonated.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command: + + # stat -c \"%n permissions are %a and owned by %U:%G\" /etc/ssh/*key + + Example result: + + /etc/ssh/ssh_host_dsa_key permissions are 600 and owned by root:root + /etc/ssh/ssh_host_ecdsa_key permissions are 600 and owned by root:root + /etc/ssh/ssh_host_ed25519_key permissions are 600 and owned by root:root + /etc/ssh/ssh_host_rsa_key permissions are 600 and owned by root:root + + If any key file listed is not owned by root or not group owned by root or does not have permissions of \"0600\", this is a finding. + " + desc 'fix', " + At the command line, run the following commands for each returned file: + + # chmod 600 + # chown root:root + # systemctl restart sshd.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000234' + tag rid: 'SV-PHTN-40-000234' + tag stig_id: 'PHTN-40-000234' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + results = command('find /etc/ssh/ -maxdepth 1 -name "*key"').stdout + + if !results.empty? + results.split.each do |fname| + describe file(fname) do + its('owner') { should cmp 'root' } + its('group') { should cmp 'root' } + its('mode') { should cmp '0600' } + end + end + else + describe 'No SSH keys found to process.' do + skip 'No SSH keys found to process.' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000235.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000235.rb new file mode 100644 index 00000000..b6b709db --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000235.rb @@ -0,0 +1,45 @@ +control 'PHTN-40-000235' do + title 'The Photon operating system must enforce password complexity on the root account.' + desc 'Password complexity rules must apply to all accounts on the system, including root. Without specifying the enforce_for_root flag, pam_pwquality does not apply complexity rules to the root user. While root users can find ways around this requirement, given its superuser power, it is necessary to attempt to force compliance.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify password complexity is enforced for the root account: + + # grep '^enforce_for_root' /etc/security/pwquality.conf + + Example result: + + enforce_for_root + + If the \"enforce_for_root\" option is missing or commented out, this is a finding. + + Note: If pwquality.conf is not used to configure pam_pwquality.so, these options may be specified on the pwquality line in the system-password file. + " + desc 'fix', " + Navigate to and open: + + /etc/security/pwquality.conf + + Add or update the following lines: + + enforce_for_root + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000235' + tag rid: 'SV-PHTN-40-000235' + tag stig_id: 'PHTN-40-000235' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + if input('usePwqualityConf') + describe parse_config_file('/etc/security/pwquality.conf') do + its('enforce_for_root') { should_not be nil } + end + else + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwquality\.so\s+(?=.*\benforce_for_root\b).*$/ } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000236.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000236.rb new file mode 100644 index 00000000..fd4e3803 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000236.rb @@ -0,0 +1,40 @@ +control 'PHTN-40-000236' do + title 'The Photon operating system must disable systemd fallback DNS.' + desc 'Systemd contains an ability to set fallback DNS servers which is used for DNS lookups in the event no system level DNS servers are configured or other DNS servers are specified in the Systemd resolved.conf file. If uncommented this configuration contains Google DNS servers by default and could result in DNS leaking info unknowingly in the event DNS is absent or misconfigured at the system level.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify systemd fallback DNS is disabled: + + # resolvectl status | grep '^Fallback DNS' + + If the output indicates that Fallback DNS servers are configured, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/systemd/resolved.conf + + Add or update the \"FallbackDNS\" entry to the following: + + FallbackDNS= + + Restart the Systemd resolved service by running the following command: + + # systemctl restart systemd-resolved + + Note: If this option is not given, a compiled-in list of DNS servers is used instead which is undesirable. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000236' + tag rid: 'SV-PHTN-40-000236' + tag stig_id: 'PHTN-40-000236' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe command("resolvectl status | grep 'Fallback DNS'") do + its('stdout') { should cmp '' } + its('stderr') { should cmp '' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000237.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000237.rb new file mode 100644 index 00000000..df170e88 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000237.rb @@ -0,0 +1,59 @@ +control 'PHTN-40-000237' do + title 'The Photon operating system must configure AIDE to detect changes to baseline configurations.' + desc " + Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + + Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following commands to verify AIDE is configured and used to monitor for file changes: + + # grep -v '^#' /etc/aide.conf | grep -v '^$' + + Example result: + + STIG = p+i+n+u+g+s+m+S + LOGS = p+n+u+g + /boot STIG + /opt STIG + /usr STIG + /etc STIG + /var/log LOGS + + If the AIDE configuration does not include the lines shown above, this is a finding. + + At the command line, run the following commands to verify an AIDE database is configured and used to monitor for file changes: + + # aide --check + + If the check command indicates there is no database available, this is a finding. + " + desc 'fix', " + Update the /etc/aide.conf file with the template provided as a supplemental document. + + At the command line, run the following commands to generate an AIDE database to use for file monitoring: + + # aide --init + # cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz + + Note: It is recommended to run these fix steps after all other STIG configurations have been completed so that the AIDE database includes those updates. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000363-GPOS-00150' + tag gid: 'V-PHTN-40-000237' + tag rid: 'SV-PHTN-40-000237' + tag stig_id: 'PHTN-40-000237' + tag cci: ['CCI-001744'] + tag nist: ['CM-3 (5)'] + + aidecontent = inspec.profile.file('aide.conf') + describe file('/etc/aide.conf') do + its('content') { should eq aidecontent } + end + describe command('aide --check') do + its('stdout.strip') { should match /AIDE found/ } + its('stdout.strip') { should_not match /Couldn't open file/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000238.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000238.rb new file mode 100644 index 00000000..878f978e --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000238.rb @@ -0,0 +1,48 @@ +control 'PHTN-40-000238' do + title 'The Photon operating system must generate audit records for all access and modifications to the opasswd file.' + desc 'Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify an audit rule exists to audit the opasswd file: + + # auditctl -l | grep -E /etc/security/opasswd + + Expected result: + + -w /etc/security/opasswd -p wa -k opasswd + + If the opasswd file is not monitored for access or writes, this is a finding. + + Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-40-000016. + " + desc 'fix', " + Navigate to and open: + + /etc/audit/rules.d/audit.STIG.rules + + Add or update the following lines: + + -w /etc/security/opasswd -p wa -k opasswd + + At the command line, run the following command to load the new audit rules: + + # /sbin/augenrules --load + + Note: A \"audit.STIG.rules\" file is provided with this guidance for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. + + Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000238' + tag rid: 'SV-PHTN-40-000238' + tag stig_id: 'PHTN-40-000238' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe auditd.file('/etc/security/opasswd') do + its('permissions') { should include ['w', 'a'] } + its('key') { should cmp 'opasswd' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000239.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000239.rb new file mode 100644 index 00000000..c5f280e5 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000239.rb @@ -0,0 +1,61 @@ +control 'PHTN-40-000239' do + title 'The Photon operating system must implement only approved Message Authentication Codes (MACs) to protect the integrity of remote access sessions.' + desc " + Without cryptographic integrity protections, information can be altered by unauthorized users without detection. + + Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + + Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the running configuration of sshd: + + # sshd -T|&grep -i MACs + + Example result: + + macs hmac-sha2-512,hmac-sha2-256 + + If the output matches the macs in the example result or a subset thereof, this is not a finding. + + If the output contains any macs not listed in the example result, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/ssh/sshd_config + + Ensure the \"MACs\" line is uncommented and set to the following: + + MACs hmac-sha2-512,hmac-sha2-256 + + At the command line, run the following command: + + # systemctl restart sshd.service + " + impact 0.7 + tag severity: 'high' + tag gtitle: 'SRG-OS-000250-GPOS-00093' + tag gid: 'V-PHTN-40-000239' + tag rid: 'SV-PHTN-40-000239' + tag stig_id: 'PHTN-40-000239' + tag cci: ['CCI-001453'] + tag nist: ['AC-17 (2)'] + + sshdMacs = input('sshdMacs') + sshdcommand = input('sshdcommand') + macs = command("#{sshdcommand}|&grep -i MACs").stdout.strip.delete_prefix('macs ').split(',') + + if !macs.empty? + macs.each do |mac| + describe mac do + it { should be_in sshdMacs } + end + end + else + describe 'No SSH MACs found...skipping...' do + skip 'No SSH MACs found...skipping...' + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000241.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000241.rb new file mode 100644 index 00000000..4176a634 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000241.rb @@ -0,0 +1,35 @@ +control 'PHTN-40-000241' do + title 'The Photon operating system must install rsyslog for offloading of audit logs.' + desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.' + desc 'rationale', '' + desc 'check', " + If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. + + At the command line, run the following commands to verify rsyslog is installed: + + # rpm -qa | grep '^rsyslog-' + + Example result: + + rsyslog-8.2212.0-1.ph4.x86_64 + + If rsyslog is not installed, this is a finding. + " + desc 'fix', " + At the command line, run the following command: + + # tdnf install rsyslog + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000241' + tag rid: 'SV-PHTN-40-000241' + tag stig_id: 'PHTN-40-000241' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe systemd_service('rsyslog') do + it { should be_installed } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000242.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000242.rb new file mode 100644 index 00000000..be0054f2 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000242.rb @@ -0,0 +1,33 @@ +control 'PHTN-40-000242' do + title 'The Photon operating system must enable the rsyslog service.' + desc 'Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.' + desc 'rationale', '' + desc 'check', " + If another package is used to offload logs, such as syslog-ng, and is properly configured, this is not applicable. + + At the command line, run the following command to verify rsyslog is enabled and running: + + # systemctl status rsyslog + + If the rsyslog service is not enabled and running, this is a finding. + " + desc 'fix', " + At the command line, run the following commands: + + # systemctl enable rsyslog + # systemctl start rsyslog + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000242' + tag rid: 'SV-PHTN-40-000242' + tag stig_id: 'PHTN-40-000242' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe systemd_service('rsyslog') do + it { should be_enabled } + it { should be_running } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000243.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000243.rb new file mode 100644 index 00000000..241fe26f --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000243.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000243' do + title 'The Photon operating system must be configured to use the pam_pwhistory.so module.' + desc 'Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the pam_pwhistory.so module is used: + + # grep '^password' /etc/pam.d/system-password + + Example result: + + password required pam_pwhistory.so use_authtok + password required pam_pwquality.so use_authtok + password required pam_unix.so sha512 shadow use_authtok + + If the \"pam_pwhistory.so\" module is not present, this is a finding. + If \"use_authtok\" is not present for the \"pam_pwhistory.so\" module, this is a finding. + If \"conf\" or \"file\" are present for the \"pam_pwhistory.so\" module, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/pam.d/system-password + + Add or update the following line: + + password required pam_pwhistory.so use_authtok + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000077-GPOS-00045' + tag gid: 'V-PHTN-40-000243' + tag rid: 'SV-PHTN-40-000243' + tag stig_id: 'PHTN-40-000243' + tag cci: ['CCI-000200'] + tag nist: ['IA-5 (1) (e)'] + + describe file('/etc/pam.d/system-password') do + its('content') { should match /^password\s+(required|requisite)\s+pam_pwhistory\.so\s+(?=.*\buse_authtok\b).*$/ } + its('content') { should_not match /^password\s+(required|requisite)\s+pam_pwhistory\.so\s+(?=.*\bconf\b).*$/ } + its('content') { should_not match /^password\s+(required|requisite)\s+pam_pwhistory\.so\s+(?=.*\bfile\b).*$/ } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000244.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000244.rb new file mode 100644 index 00000000..c2f54589 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000244.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000244' do + title 'The Photon operating system must enable hardlink access control protection in the kernel.' + desc 'By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify hardlink protection is enabled: + + # /sbin/sysctl fs.protected_hardlinks + + Example result: + + fs.protected_hardlinks = 1 + + If the \"fs.protected_hardlinks\" kernel parameter is not set to \"1\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + fs.protected_hardlinks = 1 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000244' + tag rid: 'SV-PHTN-40-000244' + tag stig_id: 'PHTN-40-000244' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('fs.protected_hardlinks') do + its('value') { should cmp 1 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000245.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000245.rb new file mode 100644 index 00000000..a57db596 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000245.rb @@ -0,0 +1,46 @@ +control 'PHTN-40-000245' do + title 'The Photon operating system must mount /tmp securely.' + desc " + The \"noexec\" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + + The \"nodev\" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + + The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + " + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify the /tmp directory is mounted securely: + + # grep '^Options' /lib/systemd/system/tmp.mount + + Example result: + + Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m + + If \"noexec\",\"nodev\", and \"nosuid\" are not present, this is a finding. + " + desc 'fix', " + Navigate to and open: + + /lib/systemd/system/tmp.mount + + Add or update the required settings on the \"Options\" line, for example: + + Options=mode=1777,strictatime,nosuid,nodev,noexec,size=50%%,nr_inodes=1m + + Restart the system for the changes to take effect. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000245' + tag rid: 'SV-PHTN-40-000245' + tag stig_id: 'PHTN-40-000245' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + tmpoptions = ['nosuid', 'noexec', 'nodev'] + describe parse_config_file('/lib/systemd/system/tmp.mount').params['Mount'].Options.split(',') do + it { should include(*tmpoptions) } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000246.rb b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000246.rb new file mode 100644 index 00000000..0c1268c0 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/controls/PHTN-40-000246.rb @@ -0,0 +1,43 @@ +control 'PHTN-40-000246' do + title 'The Photon operating system must restrict core dumps.' + desc 'By enabling the fs.suid_dumpable kernel parameter, core dumps are not generated for setuid or otherwise protected/tainted binaries. This prevents users from potentially accessing core dumps with privileged information they would otherwise not have access to read.' + desc 'rationale', '' + desc 'check', " + At the command line, run the following command to verify core dumps are restricted: + + # /sbin/sysctl fs.suid_dumpable + + Example result: + + fs.suid_dumpable = 0 + + If the \"fs.suid_dumpable\" kernel parameter is not set to \"0\", this is a finding. + " + desc 'fix', " + Navigate to and open: + + /etc/sysctl.d/zz-stig-hardening.conf + + Add or update the following line: + + fs.suid_dumpable = 0 + + At the command line, run the following command to load the new configuration: + + # /sbin/sysctl --load + + Note: If the file zz-stig-hardening.conf doesn't exist it must be created. + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-PHTN-40-000246' + tag rid: 'SV-PHTN-40-000246' + tag stig_id: 'PHTN-40-000246' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + + describe kernel_parameter('fs.suid_dumpable') do + its('value') { should cmp 0 } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/files/aide.conf b/aria/operations-for-logs/8.x/inspec/photon/files/aide.conf new file mode 100644 index 00000000..7348a7bc --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/files/aide.conf @@ -0,0 +1,68 @@ +# STIG configuration file for AIDE. + +@@define DBDIR /var/lib/aide + +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +log_level=info + +report_url=file:/var/log/aide/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#md5: md5 checksum +#sha1: sha1 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum +#haval: haval checksum +#gost: gost checksum +#crc32: crc32 checksum +#R: p+i+n+u+g+s+m+c+md5 +#L: p+i+n+u+g +#E: Empty group +#>: Growing logfile p+u+g+i+n+S + +# You can create custom rules like this. + +STIG = p+i+n+u+g+s+m+S + +LOGS = p+n+u+g + +# Next decide what directories/files you want in the database. + +/boot STIG +/opt STIG +/usr STIG +/etc STIG +/var/log LOGS + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR diff --git a/aria/operations-for-logs/8.x/inspec/photon/files/issue b/aria/operations-for-logs/8.x/inspec/photon/files/issue new file mode 100644 index 00000000..86883ffe --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/files/issue @@ -0,0 +1,6 @@ +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. diff --git a/aria/operations-for-logs/8.x/inspec/photon/files/tmout.sh b/aria/operations-for-logs/8.x/inspec/photon/files/tmout.sh new file mode 100644 index 00000000..8bbf8a3b --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/files/tmout.sh @@ -0,0 +1,4 @@ +TMOUT=900 +readonly TMOUT +export TMOUT +mesg n 2>/dev/null diff --git a/aria/operations-for-logs/8.x/inspec/photon/inspec.yml b/aria/operations-for-logs/8.x/inspec/photon/inspec.yml new file mode 100644 index 00000000..fa4570c1 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/inspec.yml @@ -0,0 +1,84 @@ +name: vmware-photon-4.0-stig-inspec-baseline +title: InSpec Profile VMware Photon OS 4.0 Appliance based deployments +maintainer: VTAE +copyright: VTAE 2024 +copyright_email: stigs@broadcom.com +license: Apache-2.0 +summary: An InSpec Compliance Profile +version: 1.0.5 + +inputs: +- name: useFaillockConf + type: boolean + description: If /etc/security/faillock.conf is used to configure pam_faillock.so set this to true + value: true +- name: usePwqualityConf + type: boolean + description: If /etc/security/pwquality.conf is used to configure pam_pwquality.so set this to true + value: true +- name: useHistoryConf + type: boolean + description: If /etc/security/pwhistory.conf is used to configure pam_pwhistory.so set this to true + value: true +- name: containerHost + type: boolean + description: Used to indicate if system is a container host and running Kubernetes/Docker/etc for controls where this would make them N/A + value: false +- name: sshdcommand + type: string + value: 'sshd -T' + description: If a different sshd command is needed then supply a different input value such as if there are user matching rules. +- name: authprivlog + type: string + value: "/var/log/messages" #Enter expected log path for authpriv log in rsyslog conf +- name: disabled_modules + description: List of Kernel modules that must be disabled + type: array + value: + - bridge + - sctp + - dccp + - dccp_ipv4 + - dccp_ipv6 + - ipx + - appletalk + - decnet + - rds + - tipc + - bluetooth + - usb_storage + - ieee1394 + - cramfs + - freevxfs + - jffs2 + - hfs + - hfsplus + - squashfs + - udf +- name: syslogServer + type: string + value: "x.x.x.x:514" #Enter IP or FQDN of Syslog Server and Port +- name: ntptype + type: string + value: "ntpd" #Enter the NTP solution. Either "ntpd" "timesyncd" "chrony" +- name: ntpServers + type: array + description: Enter a list of NTP servers the system should sync with + value: + - time-a-g.nist.gov + - time-b-g.nist.gov +- name: sshdCiphers + type: array + description: List of FIPS validated SSH Ciphers + value: + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr +- name: sshdMacs + type: array + description: List of FIPS validated SSH MACs + value: + - hmac-sha2-512 + - hmac-sha2-256 \ No newline at end of file diff --git a/aria/operations-for-logs/8.x/inspec/photon/libraries/kernel_module.rb b/aria/operations-for-logs/8.x/inspec/photon/libraries/kernel_module.rb new file mode 100644 index 00000000..7ce9faa8 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/libraries/kernel_module.rb @@ -0,0 +1,118 @@ +require 'inspec/resources/command' + +module Inspec::Resources + class KernelModule < Inspec.resource(1) + name 'kernel_module' + supports platform: 'unix' + desc 'Use the kernel_module InSpec audit resource to test kernel modules on + Linux platforms. These parameters are located under /lib/modules. Any submodule + may be tested using this resource. + + The `kernel_module` resource can also verify if a kernel module is `blacklisted` + or if a module is disabled via a fake install using the `bin_true` or `bin_false` + method.' + + example <<~EXAMPLE + describe kernel_module('video') do + it { should be_loaded } + it { should_not be_disabled } + it { should_not be_blacklisted } + end + + describe kernel_module('sstfb') do + it { should_not be_loaded } + it { should be_disabled } + end + + describe kernel_module('floppy') do + it { should be_blacklisted } + end + + describe kernel_module('dhcp') do + it { should_not be_loaded } + end + EXAMPLE + + def initialize(modulename = nil) + @module = modulename + # this resource is only supported on Linux + return skip_resource 'The `kernel_parameter` resource is not supported on your OS.' unless inspec.os.linux? + end + + def loaded? + lsmod_cmd = if inspec.os.redhat? || inspec.os.name == 'fedora' + '/sbin/lsmod' + else + 'lsmod' + end + + @retry_count = 0 + + begin + # get list of all modules + cmd = inspec.command(lsmod_cmd) + return false if cmd.exit_status != 0 + # check if module is loaded + re = Regexp.new('^' + Regexp.quote(@module) + '\s') + found = cmd.stdout.match(re) + !found.nil? + rescue Train::Transports::SSHFailed + @retry_count += 1 + raise if @retry_count >= 2 + + retry + end + end + + def disabled? + !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/(true|false)}).nil? + end + + def blacklisted? + !modprobe_output.match(/^blacklist\s+#{@module}/).nil? || disabled_via_bin_true? || disabled_via_bin_false? + end + + def version + cmd = inspec.command("#{modinfo_cmd_for_os} -F version #{@module}") + cmd.exit_status == 0 ? cmd.stdout.delete("\n") : nil + end + + def resource_id + @module || 'Kernel Module' + end + + def to_s + "Kernel Module #{@module}" + end + + private + + def modprobe_output + @modprobe_output ||= inspec.command("#{modprobe_cmd_for_os} --showconfig").stdout + end + + def modinfo_cmd_for_os + if inspec.os.redhat? || inspec.os.name == 'fedora' + '/sbin/modinfo' + else + 'modinfo' + end + end + + def modprobe_cmd_for_os + if inspec.os.redhat? || inspec.os.name == 'fedora' + '/sbin/modprobe' + else + 'modprobe' + end + end + + def disabled_via_bin_true? + !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/true}).nil? + end + + def disabled_via_bin_false? + !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/false}).nil? + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/libraries/matchers.rb b/aria/operations-for-logs/8.x/inspec/photon/libraries/matchers.rb new file mode 100644 index 00000000..24053f7d --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/libraries/matchers.rb @@ -0,0 +1,153 @@ +# TODO: explain somewhere that :all_with_args, :all_without_args, :all_with_integer_arg +# will cause match_pam_rule to return true when there are no potential matches +RSpec::Matchers.define :match_pam_rule do |expected| + def matching_integer_arg?(line) + line.module_arguments.any? do |arg| + key, value = arg.split('=') + + value && (@args[:key] == key) && value.match?(/^-?\d+$/) && + value.to_i.send(@args[:operator].to_sym, @args[:value]) + end + end + + match do |actual| + case @args_type + when :all_with_args, :all_without_args, :all_with_integer_arg + retval = true + when :any_with_args, :any_with_integer_arg + retval = false + end + + if [:all_with_integer_arg, :any_with_integer_arg].include? @args_type + unless Numeric.method_defined?(@args[:operator]) + raise("Error: Operator '#{@args[:operator]}' is an invalid numeric comparison operator.") + end + end + + actual_munge = {} + + @expected = expected.to_s + + if @args_type + catch :stop_searching do + actual.services.each do |service| + expected_line = Pam::Rule.new(expected, { service_name: service }) + + potentials = actual.find_all do |line| + line.match?(expected_line) + end + + next unless potentials && !potentials.empty? + actual_munge[service] ||= [] + actual_munge[service] += potentials.map(&:to_s) + + potentials.each do |potential| + case @args_type + when :all_without_args + retval = !potential.module_arguments.join(' ').match?(@args) + throw :stop_searching unless retval + when :all_with_args + retval = potential.module_arguments.join(' ').match?(@args) + throw :stop_searching unless retval + when :all_with_integer_arg + retval = matching_integer_arg? potential + throw :stop_searching unless retval + when :any_with_integer_arg + retval = matching_integer_arg? potential + throw :stop_searching if retval + when :any_with_args + retval = potential.module_arguments.join(' ').match?(@args) + throw :stop_searching if retval + end + end + end + end + else + retval = actual.include?(expected, { service_name: actual.service }) + end + + @actual = if actual_munge.empty? + actual.to_s + elsif actual_munge.keys.length == 1 + actual_munge.values.flatten.join("\n") + else + actual_munge.map do |service, lines| + lines.map do |line| + service + ' ' + line + end + end.flatten.join("\n") + end + + retval + end + + diffable + + # TODO: make these an array of args so that we can actually chain them together + chain :any_with_args do |args| + @args_type = :any_with_args + @args = args + end + + chain :all_with_args do |args| + @args_type = :all_with_args + @args = args + end + + chain :all_without_args do |args| + @args_type = :all_without_args + @args = args + end + + chain :all_with_integer_arg do |key, op, value| + @args_type = :all_with_integer_arg + @args = { key: key, operator: op, value: value } + end + + chain :any_with_integer_arg do |key, op, value| + @args_type = :any_with_integer_arg + @args = { key: key, operator: op, value: value } + end + + description do + res = "include #{expected}" + case @args_type + when :all_with_args + res += ", all with args #{@args}" + when :all_without_args + res += ", all without args #{@args}" + when :all_with_integer_arg + res += ", all with arg #{@args[:key]} #{@args[:operator]} #{@args[:value]}" + when :any_with_integer_arg + res += ", any with arg #{@args[:key]} #{@args[:operator]} #{@args[:value]}" + when :any_with_args + res += ", any with args #{@args}" + end + res + end +end + +RSpec::Matchers.define :match_pam_rules do |expected| + match do |actual| + @expected = expected.to_s + @actual = actual.to_s + + if @exactly && actual.respond_to?(:include_exactly?) + actual.include_exactly?(expected) + else + actual.include?(expected) + end + end + + diffable + + chain :exactly do + @exactly = true + end + + description do + res = "include #{expected}" + res += ' exactly' unless @exactly.nil? + res + end +end diff --git a/aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb b/aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb new file mode 100644 index 00000000..2c63ed65 --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb @@ -0,0 +1,358 @@ +class Pam < Inspec.resource(1) + # These are aliases for one another + attr_reader :rules, :lines + + # These are here for useful interfaces into the module stack based on + # common searches + attr_reader :services, :types, :modules + + name 'pam' + + supports platform: 'unix' + + desc 'Use the InSpec pam resource to test the given system pam configuration' + example " + # Query for a match: + describe pam('/etc/pam.d/system-auth') do + its('rules') { should match_pam_rule('password sufficient pam_unix.so sha512') } + end + # Query everything for a match without specific arguments + # You can use a Ruby regexp match for everything except arguments + describe pam('/etc/pam.d') do + its('rules') { should match_pam_rule('.* .* pam_unix.so').all_without_args('nullok' } + end + # Query for multiple lines + describe pam('/etc/pam.d/password-auth') do + required_rules = [ + 'auth required pam_faillock.so', + 'auth sufficient pam_unix.so try_first_pass' + ] + its('rules') { should match_pam_rules(required_rules) } + end + # Query for multiple rules without any rules in between them + describe pam('/etc/pam.d/password-auth') do + required_rules = [ + 'auth required pam_faillock.so', + 'auth sufficient pam_unix.so try_first_pass' + ] + its('rules') { should match_pam_rules(required_rules).exactly } + end + " + + class PamError < StandardError; end + + def initialize(path = '/etc/pam.d') + # To know what we were actually derived from + @path = path + + # Easy access helpers + @services = {} + @types = {} + @modules = {} + + config_target = inspec.file(path) + + @rules = Pam::Rules.new(config_target) + @lines = @rules + + @top_config = false + if path.strip == '/etc/pam.conf' + @top_config = true + end + + parse_content(config_target) + end + + # Process a PAM configuration file + # + # @param [String] path The path to the file or directory to process + # @param [String] service_name The PAM Service under which the content falls. + # Mainly used for recursive processing + def parse_content(path, service_name = nil) + config_files = Array(path) + + if path.directory? + config_files = inspec.bash("ls #{path}/*").stdout.lines.map { |f| inspec.file(f.strip) } + end + + config_files.each do |config_file| + next unless config_file.content + + # Support multi-line continuance and skip all comments and blank lines + rules = config_file.content.gsub("\\\n", ' ').lines.map(&:strip).delete_if do |line| + line =~ /^(\s*#.*|\s*)$/ + end + + service = service_name + unless service || @top_config + service = config_file.basename + end + + rules.each do |rule| + new_rule = Pam::Rule.new(rule, { service_name: service }) + + # If we hit an 'include' or 'substack' statement, we need to derail and + # delve down that tail until we hit the end + # + # There's no recursion checking here but, if you have a recursive PAM + # stack, you're probably not logging into your system anyway + if ['include', 'substack'].include?(new_rule.control) + # Support full path specification includes + subtarget = if new_rule.module_path[0].chr == '/' + inspec.file(new_rule.module_path) + elsif File.directory?(path.path) + inspec.file(File.join(path.path, new_rule.module_path)) + else + inspec.file(File.join(File.dirname(path.path), new_rule.module_path)) + end + + if subtarget.exist? + parse_content(subtarget, service) + end + else + + unless new_rule.type && new_rule.control && new_rule.module_path + raise PamError, "Invalid PAM config found at #{config_file}" + end + + @services[new_rule.service] ||= [] + @services[new_rule.service] << new_rule + + @types[new_rule.type] ||= [] + @types[new_rule.type] << new_rule + + @modules[new_rule.module_path] ||= [] + @modules[new_rule.module_path] << new_rule + + @rules.push(new_rule) + end + end + end + end + + def to_s + "PAM Config[#{@path}]" + end + + def service(service_name) + @services[service_name] + end + + def type(type_name) + @types[type_name] + end + + def module(module_name) + @modules[module_name] + end + + # The list of rules with a bunch of helpers for matching in the future + # + # We do fuzzy matching across the board when checking for internal rule + # matches + class Rules < Array + def initialize(config_target) + @config_target = config_target + end + + def services + collect { |l| l.service }.sort.uniq + end + + def service + svcs = collect { |l| l.service }.sort.uniq + if svcs.length > 1 + raise PamError, %(More than one service found: '[#{svcs.join("', '")}]') + end + + svcs.first + end + + def first?(rule, opts = { service_name: nil }) + raise PamError, 'opts must be a hash' unless opts.is_a?(Hash) + + service_name = get_service_name(opts[:service_name]) + + svcrule = Pam::Rule.new(rule, { service_name: service_name }) + + rules_of_type(svcrule.type, opts).first == svcrule + end + + def last?(rule, opts = { service_name: nil }) + raise PamError, 'opts must be a hash' unless opts.is_a?(Hash) + + service_name = get_service_name(opts[:service_name]) + + svcrule = Pam::Rule.new(rule, { service_name: service_name }) + + rules_of_type(svcrule.type, opts).last == svcrule + end + + def rules_of_type(rule_type, opts = { service_name: nil }) + raise PamError, 'opts must be a hash' unless opts.is_a?(Hash) + + service_name = get_service_name(opts[:service_name]) + + if @services[service_name] + @services[service_name].find_all do |l| + l.type == rule_type + end + else + [] + end + end + + # Determines if one or more rules are contained in the rule set + # + # @param [Array[String] rules The Rules to find + # @param [Hash] opts Options for the include processor + # @option opts [Boolean] :exact + # If set, no rules may be present between the rules provided in `rules` + # If unset, the rules simply need to be in the correct order, other rules + # may appear between them + # @option opts [String] :service_name The PAM Service under which the rules + # should be searched + # @return [Boolean] true if found, false otherwise + def include?(rules, opts = { exact: false, service_name: nil }) + raise PamError, 'opts must be a hash' unless opts.is_a?(Hash) + + service_name = get_service_name(opts[:service_name]) + + rules = Array(rules).map { |l| Pam::Rule.new(l, { service_name: service_name }) } + + retval = false + + if opts[:exact] + # This requires everything between the first and last rule to match + # exactly + + first_entry = index(rules.first) + last_entry = index(rules.last) + + if first_entry && last_entry + retval = (self[first_entry..last_entry] == rules) + end + else + # This match allows other rules between the two in question + retval = (rules.select { |l| super(l) } == rules) + end + + retval + end + alias_method :match, :include? + + # An alias for setting `:exact => true` in the `include` method + def include_exactly?(rules, opts = {}) + include?(rules, opts.merge({ exact: true })) + end + alias_method :match_exactly, :include_exactly? + + # Convert the data structure to an Array suitable for an RSpec diff + # + # @return [Array[String]] + def to_a + sort_by { |l| l.type }.map { |l| l.to_s } + end + + # Convert the data structure to a String + # + # @return [String] + def to_s + to_a.join("\n") + end + + private + + # Get the service name out of the configuration target + # + # @param [String] svc_name Optional name of the service that should be + # returned + # + # @return String + def get_service_name(svc_name = nil) + return svc_name if svc_name + + if !svc_name && @config_target.directory? + raise PamError, 'You must pass ":service_name" as an option!' + else + @config_target.basename + end + end + end + + # A single Rule object that has been processed + # + # Rule equality is a fuzzy match that can accept regular expression matches + # within the string to compare + class Rule + attr_reader :to_s + attr_reader :service, :silent, :type, :control, :module_path, :module_arguments + + def initialize(rule, opts = {}) + @to_s = rule.strip.gsub(/\s+/, ' ') + + rule_regex = <<-'EOM' + # Start of Rule + ^ + # Ignore initial Whitespace + \s* + # Capture Silent Flag + (?-)? + EOM + + unless opts[:service_name] + rule_regex += <<-'EOM' + # Capture Service + (?.+?)\s+ + EOM + end + + rule_regex += <<-'EOM' + # Capture Type + (?.+?)\s+ + # Capture Control + (?(\[.+\]|.+?))\s+ + # Capture Module Path + (?.+?(\.so)?) + # Capture Module Args + (\s+(?.+?))? + # End of Rule + $ + EOM + + match_data = rule.match(Regexp.new(rule_regex, Regexp::EXTENDED)) + + unless match_data + raise PamError, "Invalid PAM configuration rule: '#{rule}'" + end + + @service = opts[:service_name] || match_data[:service_name] + @silent = match_data[:silent] == '-' + @type = match_data[:type] + @control = match_data[:control] + @module_path = match_data[:module_path] + @module_arguments = match_data[:module_args] ? match_data[:module_args].strip.split(/\s+/) : [] + end + + def match?(to_cmp) + to_cmp = Pam::Rule.new(to_cmp, { service_name: @service }) if to_cmp.is_a?(String) + + # The simple match first + self.class == to_cmp.class && + @service.match(Regexp.new("^#{to_cmp.service}$")) && + @type.match(Regexp.new("^#{to_cmp.type}$")) && + @control.match(Regexp.new("^#{to_cmp.control.gsub(/(\[|\])/, '\\\\\\1')}$")) && + @module_path.match(Regexp.new("^#{to_cmp.module_path}$")) && + ( + # Quick test to pass if to_cmp module_arguments are a subset + (to_cmp.module_arguments - @module_arguments).empty? || + # All module_arguments in to_cmp should Regex match something + to_cmp.module_arguments.all? do |arg| + !@module_arguments.grep(Regexp.new("^#{arg}$")).empty? + end + ) + end + alias_method :==, :match? + alias_method :eql?, :== + end +end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000002.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000002.rb deleted file mode 100644 index 305377ea..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000002.rb +++ /dev/null @@ -1,97 +0,0 @@ -control 'TCSV-00-000002' do - title 'tc Server Secured connectors must be configured to use strong encryption ciphers.' - desc " - The tc Server has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. - - The Tomcat element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. - - The configuration attribute and its values depend on what HTTPS implementation is being utilized. It may be either a Java-based implementation (e.g., JSSE — with BIO and/or NIO connectors), or an OpenSSL-based implementation (with an APR connector). - - TLSv1.2 or TLSv1.3 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. - " - desc 'rationale', '' - desc 'check', " - For Connectors, at the command prompt, run the following command: - - # xmllint -xpath \"//Connector/\" $CATALINA_BASE/conf/server.xml. - - Examine each element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure. - - If ciphers are not defined, or insecure ciphers are configured for use, this is a finding. - - EXAMPLE: - - - - - - - " - desc 'fix', " - Navigate to and open $CATALINA_HOME/server.xml. - - Navigate to each of the nodes that is not a redirect to a secure port. - - Configure each node with the setting 'protocols=\"TLSv1.2\"'. - - EXAMPLE: - - - - - - \t - - Restart the service: - # systemctl restart loginsight.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000014-AS-000009' - tag satisfies: ['SRG-APP-000015-AS-000010'] - tag gid: 'V-TCSV-00-000002' - tag rid: 'SV-TCSV-00-000002' - tag stig_id: 'TCSV-00-000002' - tag cci: %w(CCI-000068 CCI-001453) - tag nist: ['AC-17 (2)'] - - # Open server.xml file - xmlconf = xml("#{input('catalinaBase')}/conf/server.xml") - - # loop through given list of allowed secure ports - input('securePorts').each do |sp| - # Get a count of connectors bound to that port - conn = xmlconf["//*/Connector[@port='#{sp}']"].count - if conn > 0 - # If connectors found, check the ciphers setting - lst = xmlconf["//Connector[@port='#{sp}']/@ciphers"].join(' ').gsub("\r", '').gsub("\n", '').gsub('"', '').gsub(' ', '').split(',') - lst.each do |cipher| - describe cipher do - it { should be_in input('allowedCiphers') } - end - end - else - describe "Checking for connectors bound to secure port #{sp}" do - skip "No connectors bound to secure port #{sp}" - end - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000025.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000025.rb deleted file mode 100644 index adf2cf9e..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000025.rb +++ /dev/null @@ -1,32 +0,0 @@ -control 'TCSV-00-000025' do - title 'tc Server logs folder permissions must be set correctly.' - desc 'tc Server file permissions must be restricted. The standard configuration is to have all files owned by root with group tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the tomcat user rather than root. This means that even if an attacker compromises the tc Server process, they cannot change the tc Server configuration, deploy new web applications, or modify existing web applications. The tc Server process runs with a umask of 0027 to maintain these permissions.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # find $CATALINA_BASE/logs -follow -maxdepth 0 -type d \\( \\! -perm 750 \\) -ls - - If no folders are displayed, this is not a finding. - - If results indicate the $CATALINA_BASE/logs folder permissions are not set to 750, this is a finding. - " - desc 'fix', " - At the command prompt, run the following command: - - # find $CATALINA_BASE/logs -follow -maxdepth 0 -type d | sudo xargs chmod 750 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000118-AS-000078' - tag satisfies: ['SRG-APP-000120-AS-000080'] - tag gid: 'V-TCSV-00-000025' - tag rid: 'SV-TCSV-00-000025' - tag stig_id: 'TCSV-00-000025' - tag cci: %w(CCI-000162 CCI-000164) - tag nist: ['AU-9'] - - describe file("#{input('catalinaBase')}/logs") do - it { should_not be_more_permissive_than('0750') } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000026.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000026.rb deleted file mode 100644 index a72962a7..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000026.rb +++ /dev/null @@ -1,33 +0,0 @@ -control 'TCSV-00-000026' do - title 'Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640.' - desc 'tc Server file permissions must be restricted. The standard configuration is to have all files owned by root with group tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the tomcat user rather than root. This means that even if an attacker compromises the tc Server process, they cannot change the configuration, deploy new web applications, or modify existing web applications. The tc Server process runs with a umask of 0027 to maintain these permissions.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f \\( \\! -perm 640 \\) -ls - - If no files are displayed, this is not a finding. - - If results indicate any of the file permissions contained in the $CATALINA_BASE/logs folder are not set to 640, this is a finding. - " - desc 'fix', " - At the command prompt, run the following command: - - # find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f | sudo xargs chmod 640 - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000119-AS-000079' - tag gid: 'V-TCSV-00-000026' - tag rid: 'SV-TCSV-00-000026' - tag stig_id: 'TCSV-00-000026' - tag cci: ['CCI-000163'] - tag nist: ['AU-9'] - - command("find '#{input('catalinaBase')}/logs' -type f -xdev").stdout.split.each do |fname| - describe file(fname) do - it { should_not be_more_permissive_than('0640') } - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000037.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000037.rb deleted file mode 100644 index 745fec64..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000037.rb +++ /dev/null @@ -1,47 +0,0 @@ -control 'TCSV-00-000037' do - title 'tc Server must be configured to use a specified IP address and port.' - desc " - The tc Server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the tc Server to utilize, the server will listen on all IP addresses available. - - Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address. - " - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # xmllint --xpath \"//Connector[not(@port) or not(@address)]\" $CATALINA_BASE/conf/server.xml - - If no values are returned, this is not a finding. - - If any values are returned, signifying either the IP address or the port is not specified for each , this is a finding. - " - desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. - - Navigate to each of the nodes. - - Configure each node with the value 'address=\"XXXXX\"' and 'port=\"XXXX\"'. - - Note: Replace X values with the appropriate address and port for each connector. - - Restart the service: - # systemctl restart loginsight.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000142-AS-000014' - tag satisfies: ['SRG-APP-000516-AS-000237'] - tag gid: 'V-TCSV-00-000037' - tag rid: 'SV-TCSV-00-000037' - tag stig_id: 'TCSV-00-000037' - tag cci: %w(CCI-000366 CCI-000382) - tag nist: ['CM-6 b', 'CM-7 b'] - - # Open server.xml file - xmlconf = xml("#{input('catalinaBase')}/conf/server.xml") - - # Get a count of connectors without an 'address' attribute - describe xmlconf do - its(['name(//Connector[not(@port) or not(@address)])']) { should cmp [] } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000045.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000045.rb deleted file mode 100644 index fe9e7b1d..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000045.rb +++ /dev/null @@ -1,56 +0,0 @@ -control 'TCSV-00-000045' do - title 'The tc Server must encrypt passwords during transmission.' - desc " - Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate can be passed to and from the tc Server for many reasons. - - Examples include data passed from a user to the tc Server through an HTTPS connection for authentication, the tc Server authenticating to a backend database for data retrieval and posting, and the tc Server authenticating to a clustered web server manager for an update. - - HTTP connections in tc Server are managed through the Connector object. By setting the Connector's “SSLEnabled” flag, SSL handshake/encryption/decryption is enabled. - " - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # xmllint --xpath \"//Connector[not(@SSLEnabled)] | //Connector[@SSLEnabled != 'true']\" $CATALINA_BASE/conf/server.xml - - If no data is returned, this is not a finding. - - For any data returned, if the value of “SSLEnabled” is not set to “true” or is missing for nodes that are configured to use a secure port, this is a finding. - " - desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. - - Navigate to each of the nodes that are configured to use a secure port. - - Configure each with the value 'SSLEnabled=\"true\"'. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000172-AS-000120' - tag satisfies: ['SRG-APP-000172-AS-000121'] - tag gid: 'V-TCSV-00-000045' - tag rid: 'SV-TCSV-00-000045' - tag stig_id: 'TCSV-00-000045' - tag cci: ['CCI-000197'] - tag nist: ['IA-5 (1) (c)'] - - # Open server.xml file - xmlconf = xml("#{input('catalinaBase')}/conf/server.xml") - - # loop through given list of allowed secure ports - input('securePorts').each do |sp| - # Get a count of connectors bound to that port - conn = xmlconf["//*/Connector[@port='#{sp}']/"].count - if conn > 0 - # If connectors found, check the SSLEnabled setting - describe "Checking for SSLEnabled on connectors using secure port #{sp}" do - subject { xmlconf["//*/Connector[@port='#{sp}']/@SSLEnabled"] } - it { should eq ['true'] } - end - else - describe "Checking for connectors bound to secure port #{sp}" do - skip "No connectors bound to secure port #{sp}" - end - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000048.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000048.rb deleted file mode 100644 index be05bfed..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000048.rb +++ /dev/null @@ -1,55 +0,0 @@ -control 'TCSV-00-000048' do - title 'tc Server must only allow authorized system administrators to have access to the keystore.' - desc " - The tc Server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the server and clients. - - By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the server. - - The default .keystore file location is the home folder of the user account used to run tc Server, although some administrators may choose to place the file elsewhere. The location will also be specified in the server.xml file. - " - desc 'rationale', '' - desc 'check', " - Identify the location of the .keystore file. Refer to system documentation or review the server.xml file for a specified .keystore file location. - - At the command prompt, run the following command: - - # xmllint --xpath \"//Certificate/@certificateKeystoreFile | //Connector/@keystoreFile\" $CATALINA_BASE/conf/server.xml | awk 1 RS=' ' - - For each file path returned, check the file permissions by running the command below: - - # ls -la [keystorefile location] - - Verify that file permissions are set to “640” or more restrictive. - - Verify that the owner and group-owner are set according to system requirements. If either of these conditions are not met, this is a finding. - " - desc 'fix', " - At the command prompt, execute the following commands: - - # chmod 640 [keystorefile location] - # chown tomcat [keystorefile location] - # chgrp tomcat [keystorefile location] - - Note: The user and group name tomcat is used here as a reference, but technically can be named anything. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000176-AS-000125' - tag gid: 'V-TCSV-00-000048' - tag rid: 'SV-TCSV-00-000048' - tag stig_id: 'TCSV-00-000048' - tag cci: ['CCI-000186'] - tag nist: ['IA-5 (2) (b)'] - - if file(input('keystoreFile')).exist? - describe file(input('keystoreFile')) do - its('owner') { should eq "#{input('svcAccountName')}" } - its('group') { should eq "#{input('svcGroup')}" } - it { should_not be_more_permissive_than('0640') } - end - else - describe 'Keystore File not defined or not found' do - skip 'No Keystore File found' - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000051.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000051.rb deleted file mode 100644 index ad90c2b2..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000051.rb +++ /dev/null @@ -1,64 +0,0 @@ -control 'TCSV-00-000051' do - title 'tc Server must use FIPS-validated ciphers on secured connectors.' - desc " - Connectors are how tc Server receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends the results back to the requestor. Cryptographic ciphers are associated with the connector to create a secured connector. To ensure encryption strength is adequately maintained, the ciphers used must be FIPS 140-2-validated. - - The FIPS-validated crypto libraries are not provided by tc Server; they are included as part of the Java instance and the underlying Operating System. The STIG checks to ensure the FIPSMode setting is enabled for the connector and also checks the logs for FIPS errors, which indicates FIPS non-compliance at the OS or Java layers. The administrator is responsible for ensuring the OS and Java instance selected for the tc Server installation provide and enable these FIPS modules so tc Server can be configured to use them. - " - desc 'rationale', '' - desc 'check', " - From the server console, run the following two commands to verify tc Server is configured to use FIPS: - - sudo grep -i FIPSMode $CATALINA_BASE/conf/server.xml - - sudo grep -i FIPSMode $CATALINA_BASE/logs/catalina.out - - If server.xml does not contain FIPSMode=\"on\", or if catalina.out does not contain the message \"Successfully entered FIPS mode\", this is a finding. - " - desc 'fix', " - In addition to configuring tc Server, the administrator must also configure the underlying OS and Java engine to use FIPS validated encryption modules. This fix instructs how to enable FIPSMode within tc Server. The OS and Java engine must be configured to use the FIPS validated modules according to the chosen OS and Java engine. - - Navigate to and open $CATALINA_HOME/server.xml. - - In the list of elements, locate the AprLifecycleListener. Add or edit the FIPSMode setting and set it to FIPSMode=\"on\". - - EXAMPLE: - - - Restart the Tomcat server: - #sudo systemctl restart loginsight.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000179-AS-000129' - tag satisfies: ['SRG-APP-000439-AS-000274'] - tag gid: 'V-TCSV-00-000051' - tag rid: 'SV-TCSV-00-000051' - tag stig_id: 'TCSV-00-000051' - tag cci: %w(CCI-000803 CCI-002418) - tag nist: %w(IA-7 SC-8) - - # Get path to server.xml file - xmlconf = xml("#{input('catalinaBase')}/conf/server.xml") - - # Check for a Listener Element - describe xmlconf['//Listener[contains(@className, "AprLifecycleListener")]/@FIPSMode'] do - it { should eq ['on'] } - end - - # Check catalina log for FIPS success - if file("#{input('catalinaHome')}/logs/catalina.out").exist? - describe 'Checking catalina log for FIPS Mode enabled' do - subject { file("#{input('catalinaHome')}/logs/catalina.out").content } - it { should include('Successfully entered FIPS mode') } - end - else - describe 'Catalina.out log file not found in default location' do - skip 'Catalina.out log file not found' - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000088.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000088.rb deleted file mode 100644 index 256c1c00..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000088.rb +++ /dev/null @@ -1,34 +0,0 @@ -control 'TCSV-00-000088' do - title 'tc Server binary file permissions must be restricted.' - desc "The standard configuration is to have the folder where tc Server is installed owned by a non-root user and group (normally 'tomcat' for the first instance, but can be different per instance). The $CATALINA_HOME environment variable should be set to the location of the root directory of the \"binary\" distribution of tc Server." - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command (substituting 'tomcat' with the appropriate username): - - # find $CATALINA_HOME -follow -maxdepth 0 \\( ! -user tomcat ! -group tomcat \\) -ls - - If no folders are displayed, this is not a finding. - - If results indicate that $CATALINA_HOME folder ownership and group membership are not set to the specified user and group, this is a finding. - " - desc 'fix', " - At the command prompt, run the following commands (substituting 'tomcat' with the appropriate username): - - # find $CATALINA_HOME -maxdepth 0 \\( ! -user tomcat\\) | sudo xargs chown tomcat - - # find $CATALINA_HOME -maxdepth 0 \\( ! -group tomcat \\) | sudo xargs chgrp tomcat - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000380-AS-000088' - tag gid: 'V-TCSV-00-000088' - tag rid: 'SV-TCSV-00-000088' - tag stig_id: 'TCSV-00-000088' - tag cci: ['CCI-001813'] - tag nist: ['CM-5 (1)'] - - describe file("#{input('catalinaHome')}") do - its('owner') { should cmp "#{input('tcCoreUser')}" } - its('group') { should cmp "#{input('tcCoreGroup')}" } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000100.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000100.rb deleted file mode 100644 index 7a5c6ebb..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000100.rb +++ /dev/null @@ -1,95 +0,0 @@ -control 'TCSV-00-000100' do - title 'tc Server must use NSA Suite A cryptography when encrypting data that must be compartmentalized.' - desc " - Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. - - NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: - - \"Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms are used to protect systems requiring the most stringent protection mechanisms.\" - - NSA-approved cryptography is required to be used for classified information system processing. - - The application server must utilize NSA-approved encryption modules when protecting classified data. This means using AES and other approved encryption modules. - " - desc 'rationale', '' - desc 'check', " - If the system is not implemented to process compartmentalized information, this requirement is Not Applicable. - - Navigate to and open $CATALINA_BASE/conf/server.xml. - - Navigate to each of the nodes. - - If the value of \"ciphers\" does not match the list of NSA Suite A ciphers or is missing, this is a finding. - - EXAMPLE: - - - - - - - " - desc 'fix', " - Navigate to and open $CATALINA_HOME/server.xml. - - Navigate to each of the nodes. - - Configure the \"ciphers\" attribute with NSA Suite A approved ciphers. - - EXAMPLE: - - - - - - - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000416-AS-000140' - tag gid: 'V-TCSV-00-000100' - tag rid: 'SV-TCSV-00-000100' - tag stig_id: 'TCSV-00-000100' - tag cci: ['CCI-002450'] - tag nist: ['SC-13'] - - # Open server.xml file - xmlconf = xml("#{input('catalinaBase')}/conf/server.xml") - - # loop through given list of allowed secure ports - input('securePorts').each do |sp| - # Get a count of connectors bound to that port - conn = xmlconf["//*/Connector[@port='#{sp}']"].count - if conn > 0 - # If connectors found, check the ciphers setting - lst = xmlconf["//Connector[@port='#{sp}']/@ciphers"].join(' ').gsub("\r", '').gsub("\n", '').gsub('"', '').gsub(' ', '').split(',') - lst.each do |cipher| - describe cipher do - it { should be_in input('allowedCiphers') } - end - end - else - describe "Checking for connectors bound to secure port #{sp}" do - skip "No connectors bound to secure port #{sp}" - end - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000105.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000105.rb deleted file mode 100644 index 06a0985b..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000105.rb +++ /dev/null @@ -1,32 +0,0 @@ -control 'TCSV-00-000105' do - title 'tc Server must be patched for security vulnerabilities.' - desc 'tc Server is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attacks. To address this risk, the administrator must ensure the system remains up to date on patches.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # $JAVA_HOME/bin/java -cp /usr/lib/loginsight/application/lib/web-tomcat-li.jar org.apache.catalina.util.ServerInfo - - Compare the version running on the system to the latest secure version. - - If the latest secure version of tc Server is not installed, this is a finding. - " - desc 'fix', " - Follow operational procedures for upgrading tc Server. Download latest version of tc Server and install in a test environment. Test applications that are running in production and follow all operations best practices when upgrading the production tc Server application servers. - - Update the tc Server production instance accordingly and ensure corrected builds are installed once tested and verified. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000435-AS-000163' - tag gid: 'V-TCSV-00-000105' - tag rid: 'SV-TCSV-00-000105' - tag stig_id: 'TCSV-00-000105' - tag cci: ['CCI-002385'] - tag nist: ['SC-5'] - - # No easy way to get the tomcat version - call up the serverinfo jar - describe command("#{input('javaHome')}/bin/java -cp /usr/lib/loginsight/application/lib/web-tomcat-li.jar org.apache.catalina.util.ServerInfo") do - its('stdout') { should include input('tcVersion') } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000106.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000106.rb deleted file mode 100644 index e11aabe0..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000106.rb +++ /dev/null @@ -1,71 +0,0 @@ -control 'TCSV-00-000106' do - title ' tc Server must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version.' - desc " - Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enabled and non-FIPS-approved SSL versions must be disabled. - - NIST SP 800-52 defines the approved TLS versions for government applications. - - tc Server connections are managed by the Connector object class. The Connector object can be configured to use a range of transport encryption methods. Many older transport encryption methods have been proven to be weak. tc Server should be configured to use the sslEnabledProtocols correctly to ensure that older, less secure forms of transport security are not used. - " - desc 'rationale', '' - desc 'check', " - Navigate to and open $CATALINA_BASE/conf/server.xml. - - Navigate to each of the nodes. - - If the value of \"protocols\" is not set to one of \"TLSv1.2\", \"TLSv1.3\", \"TLSv1.2,TLSv1.3\", or is missing, this is a finding. - - EXAMPLE: - - " - desc 'fix', " - Navigate to and open $CATALINA_HOME/server.xml. - - Navigate to each of the nodes configured to listen on a secure port. - - Configure each node with the setting 'sslEnabledProtocols=\"TLSv1.2\"'. - - EXAMPLE: - - - Restart the service: - # systemctl restart loginsight.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000439-AS-000155' - tag satisfies: %w(SRG-APP-000440-AS-000167 SRG-APP-000442-AS-000259) - tag gid: 'V-TCSV-00-000106' - tag rid: 'SV-TCSV-00-000106' - tag stig_id: 'TCSV-00-000106' - tag cci: %w(CCI-002418 CCI-002421 CCI-002422) - tag nist: ['SC-8', 'SC-8 (1)', 'SC-8 (2)'] - - # Open server.xml file - xmlconf = xml("#{input('catalinaBase')}/conf/server.xml") - - # loop through given list of allowed secure ports - input('securePorts').each do |sp| - # Get a count of connectors bound to that port - conn = xmlconf["//*/Connector[@port='#{sp}']"].count - if conn > 0 - # If connectors found, check the sslEnabledProtocols setting - describe "Checking sslEnabledProtocols on connectors using secure port #{sp}" do - subject { xmlconf["//Connector[@port='#{sp}']/@sslEnabledProtocols"] } - it { should cmp ['TLSv1.2'] } - end - else - describe "Checking for connectors bound to secure port #{sp}" do - skip "No connectors bound to secure port #{sp}" - end - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000117.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000117.rb deleted file mode 100644 index fbea1fad..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000117.rb +++ /dev/null @@ -1,40 +0,0 @@ -control 'TCSV-00-000117' do - title 'Changes to $CATALINA_HOME/bin/ folder must be logged.' - desc 'The $CATALINA_HOME/bin folder contains startup and control scripts for the tc Server Catalina service. To provide forensic evidence in the event of file tampering, changes to content in this folder must be logged. This can be done on the Ubuntu OS via the auditctl command (For Linux OS flavors other than Ubuntu, use the relevant OS commands). Use the "-p wa" flag to set the permissions flag for a file system watch to log change events.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command to check the audit rules for the tc Server folders: - - # auditctl -l | grep -i tomcat - - If the results do not include -w $CATALINA_HOME/bin -p wa -k tomcat, or if there are no results, this is a finding. - - Note: The names tomcat.service and tomcat are used here as references, but technically they can be called anything. - " - desc 'fix', " - At the command prompt, run the following command to audit the configuration files: - - # auditctl -w $CATALINA_HOME/bin -p wa -k tomcat - - Validate the audit watch was created. - - # auditctl -l - - EXAMPLE: - -w /opt/tomcat/latest/bin -p wa -k tomcat - - Note: The name tomcat is used here as a reference, but technically it can be called anything. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000504-AS-000229' - tag gid: 'V-TCSV-00-000117' - tag rid: 'SV-TCSV-00-000117' - tag stig_id: 'TCSV-00-000117' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] - - describe auditd do - its('lines') { should include %r{-w #{input('catalinaHome')}/bin -p wa -k #{input('tcCoreUser')}} } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000134.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000134.rb deleted file mode 100644 index 1537db70..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000134.rb +++ /dev/null @@ -1,60 +0,0 @@ -control 'TCSV-00-000134' do - title 'The shutdown port must be disabled.' - desc 'tc Server by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within tc Server are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Setting the port to "-1" instructs tc Server to not listen for the shutdown command.' - desc 'rationale', '' - desc 'check', " - To check the shutdown port, at the command prompt, run the following command: - - # grep \"base.shutdown.port\" $CATALINA_BASE/conf/catalina.properties - - Expected output: - - base.shutdown.port=-1 - - To check the shutdown command, at the command prompt, run the following command: - - # xmllint --xpath \"//Server/@port | //Server/@shutdown\" $CATALINA_BASE/conf/server.xml - - Expected output should include: - - shutdown=\"NONDETERMINISTICVALUE\" - - If the shutdown port is not set to \"-1\" and/or the shutdown command equals \"SHUTDOWN\", this is a finding. - " - desc 'fix', " - Edit the $CATALINA_BASE/conf/catalina.properties file. - - Add or edit the following line: - - base.shutdown.port=-1 - - Edit the $CATALINA_HOME/server.xml file. - - Set the shutdown command value in the Server node. - - EXAMPLE: - - - Restart the service: - # systemctl restart loginsight.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000134' - tag rid: 'SV-TCSV-00-000134' - tag stig_id: 'TCSV-00-000134' - tag cci: ['CCI-000381'] - tag nist: ['CM-7 a'] - - props = parse_config(file("#{input('catalinaBase')}/conf/catalina.properties").content) - sp = input('shutdownPort') - - describe props do - its(['base.shutdown.port']) { should cmp sp } - end - - describe xml("#{input('catalinaBase')}/conf/server.xml") do - its(['/Server/@shutdown']) { should_not cmp ['SHUTDOWN'] } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000141.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000141.rb deleted file mode 100644 index 20388b74..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000141.rb +++ /dev/null @@ -1,33 +0,0 @@ -control 'TCSV-00-000141' do - title ' Example applications must be removed.' - desc " - tc Server provides example applications, documentation, and other directories in the default installation which do not serve a production use. These files must be deleted. - - " - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # ls -l $CATALINA_HOME/webapps/examples - - If the examples folder exists or contains any content, this is a finding. - " - desc 'fix', " - At the command prompt, run the following command: - - # rm -rf $CATALINA_HOME/webapps/examples - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000141' - tag rid: 'SV-TCSV-00-000141' - tag stig_id: 'TCSV-00-000141' - tag cci: ['CCI-000381'] - tag nist: ['CM-7 a'] - - # Make sure the examples directory does not exist - describe directory("#{input('catalinaHome')}/webapps/examples").exist? do - it { should cmp 'false' } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000147.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000147.rb deleted file mode 100644 index 6067d963..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000147.rb +++ /dev/null @@ -1,40 +0,0 @@ -control 'TCSV-00-000147' do - title '$CATALINA_BASE/work folder must be owned by tomcat user, group tomcat.' - desc 'tc Server file permissions must be restricted. The standard configuration is to have all tc Server files owned by root with group tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the tomcat user rather than root. This means that even if an attacker compromises the tc Server process, they cannot change the configuration, deploy new web applications, or modify existing web applications. The tc Server process runs with a umask of 0027 to maintain these permissions.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # find $CATALINA_BASE/work -follow -maxdepth 0 \\( ! -user tomcat -o ! -group tomcat \\) -ls - - If no folders are displayed, this is not a finding. - - If results indicate the $CATALINA_BASE/work folder ownership and group membership is not set to tomcat:tomcat, this is a finding. - - Note: The name root and group name tomcat are used here as a reference, but technically can be named anything. - " - desc 'fix', " - At the command prompt, run the following command: - - # find $CATALINA_BASE/work -maxdepth 0 \\( ! -user tomcat \\) | sudo xargs chown tomcat 2> /dev/null - - # find $CATALINA_BASE/work -maxdepth 0 \\( ! -group tomcat \\) | sudo xargs chgrp tomcat 2> /dev/null - - Note: The name root and group name tomcat are used here as a reference, but technically can be named anything. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000380-AS-000088' - tag gid: 'V-TCSV-00-000147' - tag rid: 'SV-TCSV-00-000147' - tag stig_id: 'TCSV-00-000147' - tag cci: ['CCI-001813'] - tag nist: ['CM-5 (1)'] - - command("find '#{input('catalinaBase')}/work' -type f -xdev").stdout.split.each do |fname| - describe file(fname) do - its('owner') { should cmp "#{input('svcAccountName')}" } - its('group') { should cmp "#{input('svcGroup')}" } - end - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000148.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000148.rb deleted file mode 100644 index 53dcc379..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000148.rb +++ /dev/null @@ -1,40 +0,0 @@ -control 'TCSV-00-000148' do - title 'Changes to $CATALINA_BASE/conf folder must be logged.' - desc 'The $CATALINA_BASE/conf folder contains configuration files for the tc Server Catalina service. To provide forensic evidence in the event of file tampering, changes to content in this folder must be logged. This can be done on the Ubuntu OS via the auditctl command (For Linux OS flavors other than Ubuntu, use the relevant OS commands). Use the "-p wa" flag to set the permissions flag for a file system watch to log change events.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command to check the audit rules for the tc Server folders: - - # auditctl -l | grep -i tomcat - - If the results do not include -w $CATALINA_BASE/conf -p wa -k tomcat, or if there are no results, this is a finding. - - Note: The names tomcat.service and tomcat are used here as references, but technically they can be called anything. - " - desc 'fix', " - At the command prompt, run the following command to audit the configuration files: - - # auditctl -w $CATALINA_BASE/conf -p wa -k tomcat - - Validate the audit watch was created. - - # auditctl -l - - EXAMPLE: - -w /opt/tomcat/latest/conf -p wa -k tomcat - - Note: The name tomcat is used here as a reference, but technically it can be called anything. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000504-AS-000229' - tag gid: 'V-TCSV-00-000148' - tag rid: 'SV-TCSV-00-000148' - tag stig_id: 'TCSV-00-000148' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] - - describe auditd do - its('lines') { should include %r{-w #{input('catalinaBase')}/conf -p wa -k #{input('svcAccountName')}} } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000149.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000149.rb deleted file mode 100644 index 83a74187..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000149.rb +++ /dev/null @@ -1,40 +0,0 @@ -control 'TCSV-00-000149' do - title 'Changes to $CATALINA_HOME/lib/ folder must be logged.' - desc 'The $CATALINA_HOME/lib folder contains library files for the tc Server Catalina service. These are in the form of java archive (jar) files. To provide forensic evidence in the event of file tampering, changes to content in this folder must be logged. This can be done on the Ubuntu OS via the auditctl command (For Linux OS flavors other than Ubuntu, use the relevant OS commands). Use the "-p wa" flag to set the permissions flag for a file system watch to log change events.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command to check the audit rules for the tc Server folders: - - # auditctl -l | grep -i tomcat - - If the results do not include -w $CATALINA_HOME/lib -p wa -k tomcat, or if there are no results, this is a finding. - - Note: The names tomcat.service and tomcat are used here as references, but technically they can be called anything. - " - desc 'fix', " - At the command prompt, run the following command to audit the configuration files: - - # auditctl -w $CATALINA_HOME/lib -p wa -k tomcat - - Validate the audit watch was created. - - # auditctl -l - - EXAMPLE: - -w /opt/tomcat/latest/lib -p wa -k tomcat - - Note: The name tomcat is used here as a reference, but technically it can be called anything. - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000504-AS-000229' - tag gid: 'V-TCSV-00-000149' - tag rid: 'SV-TCSV-00-000149' - tag stig_id: 'TCSV-00-000149' - tag cci: ['CCI-000172'] - tag nist: ['AU-12 c'] - - describe auditd do - its('lines') { should include %r{-w #{input('catalinaHome')}/lib -p wa -k #{input('svcAccountName')}} } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000152.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000152.rb deleted file mode 100644 index f6b53132..00000000 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000152.rb +++ /dev/null @@ -1,41 +0,0 @@ -control 'TCSV-00-000152' do - title 'ENFORCE_ENCODING_IN_GET_WRITER must be set to true.' - desc 'Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.' - desc 'rationale', '' - desc 'check', " - At the command prompt, run the following command: - - # grep -i ENFORCE_ENCODING $CATALINA_BASE/conf/catalina.properties - - If there are no results, or if the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER is not set to true, this is a finding. - " - desc 'fix', " - Edit the $CATALINA_BASE/conf/catalina.properties file. - - Change the \"org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER\" setting to \"true\". - - EXAMPLE catalina.properties: - ... - org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true - org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true - ... - - Restart the service: - # systemctl restart loginsight.service - " - impact 0.5 - tag severity: 'medium' - tag gtitle: 'SRG-APP-000516-AS-000237' - tag gid: 'V-TCSV-00-000152' - tag rid: 'SV-TCSV-00-000152' - tag stig_id: 'TCSV-00-000152' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - - # Check catalina.properties file - props = parse_config(file("#{input('catalinaBase')}/conf/catalina.properties").content) - - describe props do - its(['org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER']) { should cmp 'true' } - end -end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000001.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000001.rb similarity index 58% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000001.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000001.rb index ba9e6ea8..62304c88 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000001.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000001.rb @@ -1,53 +1,47 @@ -control 'TCSV-00-000001' do - title 'tc Server must limit the number of maximum concurrent connections permitted.' +control 'VRLT-8X-000001' do + title 'The VMware Aria Operations for Logs tc Server must limit the number of maximum concurrent connections permitted.' desc " Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Unless the number of requests is controlled, the web server can eventually consume enough system resources to cause a system crash. - Mitigating this kind of attack includes limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute. - - NOTE: Executor settings will override Connector settings + Mitigating this kind of attack includes limiting the number of concurrent HTTP/HTTPS requests. Each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the \"maxThreads\" attribute. " desc 'rationale', '' desc 'check', " - At the command prompt, run the following commands: - - # xmllint --xpath \"//Executor[not(@maxThreads)]/@name | //Executor[@maxThreads != '200']/@name\" $CATALINA_BASE/conf/server.xml | awk 1 RS=' ' - # xmllint --xpath \"//Connector[not(@maxThreads)]/@port | //Connector[@maxThreads != '200']/@port\" $CATALINA_BASE/conf/server.xml | awk 1 RS=' ' + At the command prompt, run the following command: - The default value for maxThreads is 200. + # xmllint --xpath \"//Connector[not(@executor) and not(@redirectPort) and @maxThreads]/@maxThreads\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml If the value of \"maxThreads\" is missing, this is not a finding. - If the value of \"maxThreads\" is set at either the Executor node or each Connector node, and the value is not set to an allowed limit for the environment, this is a finding. + If the value of \"maxThreads\" is set at a Connector node, and the value is not set to an allowed limit for the environment, this is a finding. Note: If a Connector is linked to an Executor, Executor settings will override Connector settings. In the commands above, the value 200 is default and should be replaced with the appropriate value for the environment. " desc 'fix', " - Navigate to and open $CATALINA_HOME/server.xml + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. - Navigate to the node. + Navigate to each applicable node that is not a redirect to a secure port, and is not linked to an Executor. - Configure the node with the value 'maxThreads=\"200\"' + Configure the node with the value 'maxThreads=\"200\"' Example: - - + Restart the service: # systemctl restart loginsight.service - Note: If a Connector is linked to an Executor, Executor settings will override Connector settings. In the example above, the value 200 is default and should be replaced with the appropriate value for the environment. + Note: If a Connector is linked to an Executor, Executor settings will override Connector settings, and the \"maxThreads\" setting must be configured correctly in the Executor. In the example above, the value 200 is default and should be replaced with the appropriate value for the environment. " impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000001-AS-000001' - tag gid: 'V-TCSV-00-000001' - tag rid: 'SV-TCSV-00-000001' - tag stig_id: 'TCSV-00-000001' + tag gid: 'V-VRLT-8X-000001' + tag rid: 'SV-VRLT-8X-000001' + tag stig_id: 'VRLT-8X-000001' tag cci: ['CCI-000054'] tag nist: ['AC-10'] @@ -77,8 +71,10 @@ end else # No Executor with a maxThreads exists - check each connector - describe xmlconf do - its(['//Connector/@maxThreads']) { should cmp mt } + xmlconf['//Connector/@maxThreads'].each do |conn| + describe conn do + it { should cmp mt } + end end end end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000004.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000004.rb similarity index 83% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000004.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000004.rb index ff2289b3..da5dad53 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000004.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000004.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000004' do - title 'Logging must be configured for each tc Server application context.' +control 'VRLT-8X-000004' do + title 'The VMware Aria Operations for Logs tc Server must have logging configured for each application context.' desc " Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. @@ -11,7 +11,7 @@ To find all the AccessLogValve objects, and their associated parent node, run the following command: - # xmllint --xpath \"//Valve[contains(@className, 'AccessLogValve')]/parent::*\" $CATALINA_BASE/conf/server.xml + # xmllint --xpath \"//Valve[contains(@className, 'AccessLogValve')]/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml If a element is not defined within one of the Container elements, this is a finding. @@ -25,7 +25,7 @@ /> " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Create or edit a element that is nested within the container. @@ -45,9 +45,9 @@ tag severity: 'medium' tag gtitle: 'SRG-APP-000016-AS-000013' tag satisfies: %w(SRG-APP-000090-AS-000051 SRG-APP-000495-AS-000220 SRG-APP-000499-AS-000224 SRG-APP-000503-AS-000228) - tag gid: 'V-TCSV-00-000004' - tag rid: 'SV-TCSV-00-000004' - tag stig_id: 'TCSV-00-000004' + tag gid: 'V-VRLT-8X-000004' + tag rid: 'SV-VRLT-8X-000004' + tag stig_id: 'VRLT-8X-000004' tag cci: %w(CCI-000067 CCI-000171 CCI-000172) tag nist: ['AC-17 (1)', 'AU-12 b', 'AU-12 c'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000005.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000005.rb similarity index 76% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000005.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000005.rb index c4c97202..e492cfef 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000005.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000005.rb @@ -1,15 +1,15 @@ -control 'TCSV-00-000005' do - title 'Cookies must have secure flag set.' +control 'VRLT-8X-000005' do + title 'The VMware Aria Operations for Logs tc Server must have the secure flag set for cookies.' desc " It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. - The $CATALINA_BASE/conf/web.xml file controls how each application handles cookies via the element. + The web.xml file controls how each application handles cookies via the element. " desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - xmllint --xpath \"//*[local-name()='cookie-config']/parent::*\" $CATALINA_BASE/conf/web.xml + xmllint --xpath \"//*[local-name()='cookie-config']/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml If the command returns no results or if the element is not set to true, this is a finding. @@ -23,7 +23,7 @@ " desc 'fix', " - Edit the $CATALINA_BASE/conf/web.xml. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml. If the cookie-config section does not exist it must be added. Add or modify the setting as a child node to the node and set its value to true. @@ -46,9 +46,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000033-AS-000024' - tag gid: 'V-TCSV-00-000005' - tag rid: 'SV-TCSV-00-000005' - tag stig_id: 'TCSV-00-000005' + tag gid: 'V-VRLT-8X-000005' + tag rid: 'SV-VRLT-8X-000005' + tag stig_id: 'VRLT-8X-000005' tag cci: ['CCI-000213'] tag nist: ['AC-3'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000013.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000013.rb similarity index 84% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000013.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000013.rb index dd8ed427..ed260eca 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000013.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000013.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000013' do - title 'tc Server must initiate session logging upon startup.' +control 'VRLT-8X-000013' do + title 'The VMware Aria Operations for Logs tc Server must initiate session logging upon startup.' desc " An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available during a forensic investigation. To ensure all relevant events are captured, the web server must begin logging once the first web server process is initiated. @@ -9,14 +9,14 @@ desc 'check', " At the command prompt, run the following command: - # grep -B10 -A2 '\"$CATALINA_OUT\" 2>&1 \"&\"' $CATALINA_HOME/catalina.sh + # grep -B10 -A2 '\"$CATALINA_OUT\" 2>&1 \"&\"' /usr/lib/loginsight/application/etc/3rd_config/catalina.sh Verify that each start command within the \"elif [ \"$1\" = \"start\" ] ; then\" block contains the text '>> \"$CATALINA_OUT\" 2>&1 \"&\"' If the command is not correct or is missing, this is a finding. " desc 'fix', " - Edit the $CATALINA_HOME/catalina.sh file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/catalina.sh file. Navigate to and locate the start block : \"elif [ \"$1\" = \"start\" ] ; then\". @@ -44,9 +44,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000092-AS-000053' - tag gid: 'V-TCSV-00-000013' - tag rid: 'SV-TCSV-00-000013' - tag stig_id: 'TCSV-00-000013' + tag gid: 'V-VRLT-8X-000013' + tag rid: 'SV-VRLT-8X-000013' + tag stig_id: 'VRLT-8X-000013' tag cci: ['CCI-001464'] tag nist: ['AU-14 (1)'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000014.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000014.rb similarity index 86% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000014.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000014.rb index ce072588..b41b7f5d 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000014.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000014.rb @@ -1,7 +1,7 @@ -control 'TCSV-00-000014' do - title 'The tc Server must produce log records containing sufficient information regarding event details.' +control 'VRLT-8X-000014' do + title 'The VMware Aria Operations for Logs tc Server must produce log records containing sufficient information regarding event details.' desc " - After a security incident has occurred, investigators will often review log files to determine what happened. tc Server must create a log entry when users access the system, and the system authenticates the users. + After a security incident has occurred, investigators will often review log files to determine what happened. The tc Server must create a log entry when users access the system, and the system authenticates the users. The logs must contain information about user sessions to include what type of event occurred, when (date and time) events occurred, where within the server the events occurred, the client source of the events, the outcome (success or failure) of the event, and the identity of the user/subject/process associated with the event. @@ -13,7 +13,7 @@ desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[contains(@className, 'AccessLogValve')]/parent::*\" $CATALINA_BASE/conf/server.xml + # xmllint --xpath \"//*[contains(@className, 'AccessLogValve')]/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml Review all \"Valve\" elements. @@ -30,7 +30,7 @@ " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Modify the element(s) nested within the element(s). @@ -53,9 +53,9 @@ tag severity: 'medium' tag gtitle: 'SRG-APP-000095-AS-000056' tag satisfies: %w(SRG-APP-000080-AS-000045 SRG-APP-000089-AS-000050 SRG-APP-000091-AS-000052 SRG-APP-000096-AS-000059 SRG-APP-000097-AS-000060 SRG-APP-000098-AS-000061 SRG-APP-000099-AS-000062 SRG-APP-000100-AS-000063 SRG-APP-000343-AS-000030 SRG-APP-000375-AS-000211) - tag gid: 'V-TCSV-00-000014' - tag rid: 'SV-TCSV-00-000014' - tag stig_id: 'TCSV-00-000014' + tag gid: 'V-VRLT-8X-000014' + tag rid: 'SV-VRLT-8X-000014' + tag stig_id: 'VRLT-8X-000014' tag cci: %w(CCI-000130 CCI-000131 CCI-000132 CCI-000133 CCI-000134 CCI-000166 CCI-000169 CCI-000172 CCI-001487 CCI-001889 CCI-002234) tag nist: ['AC-6 (9)', 'AU-10', 'AU-12 a', 'AU-12 c', 'AU-3', 'AU-8 b'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000025.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000025.rb new file mode 100644 index 00000000..12d1b86c --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000025.rb @@ -0,0 +1,32 @@ +control 'VRLT-8X-000025' do + title 'The VMware Aria Operations for Logs tc Server logs folder permissions must be set correctly.' + desc 'The tc Server file permissions must be restricted. The standard configuration is to have all files owned by root with group tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the tomcat user rather than root. This means that even if an attacker compromises the tc Server process, they cannot change the tc Server configuration, deploy new web applications, or modify existing web applications. The tc Server process runs with a umask of 0027 to maintain these permissions.' + desc 'rationale', '' + desc 'check', " + At the command prompt, run the following command: + + # find /usr/lib/loginsight/application/3rd_party/apache-tomcat/logs -follow -maxdepth 0 -type d \\( \\! -perm 750 \\) -ls + + If no folders are displayed, this is not a finding. + + If results indicate the /usr/lib/loginsight/application/3rd_party/apache-tomcat/logs folder permissions are not set to 750, this is a finding. + " + desc 'fix', " + At the command prompt, run the following command: + + # find /usr/lib/loginsight/application/3rd_party/apache-tomcat/logs -follow -maxdepth 0 -type d | sudo xargs chmod 750 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-APP-000118-AS-000078' + tag satisfies: ['SRG-APP-000120-AS-000080'] + tag gid: 'V-VRLT-8X-000025' + tag rid: 'SV-VRLT-8X-000025' + tag stig_id: 'VRLT-8X-000025' + tag cci: %w(CCI-000162 CCI-000164) + tag nist: ['AU-9'] + + describe file("#{input('catalinaBase')}/logs") do + it { should_not be_more_permissive_than('0750') } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000026.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000026.rb new file mode 100644 index 00000000..c43c32cb --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000026.rb @@ -0,0 +1,33 @@ +control 'VRLT-8X-000026' do + title 'The VMware Aria Operations for Logs tc Server files in the $CATALINA_BASE/logs folder must have their permissions set to 640.' + desc 'The tc Server file permissions must be restricted. The standard configuration is to have all files owned by root. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories. This means that even if an attacker compromises the tc Server process, they cannot change the configuration, deploy new web applications, or modify existing web applications. The tc Server process runs with a umask of 0027 to maintain these permissions.' + desc 'rationale', '' + desc 'check', " + At the command prompt, run the following command: + + # find /usr/lib/loginsight/application/3rd_party/apache-tomcat/logs/* -follow -maxdepth 0 -type f \\( \\! -perm 640 \\) -ls + + If no files are displayed, this is not a finding. + + If results indicate any of the file permissions contained in the /usr/lib/loginsight/application/3rd_party/apache-tomcat/logs folder are not set to 640, this is a finding. + " + desc 'fix', " + At the command prompt, run the following command: + + # find /usr/lib/loginsight/application/3rd_party/apache-tomcat/logs/* -follow -maxdepth 0 -type f | sudo xargs chmod 640 + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-APP-000119-AS-000079' + tag gid: 'V-VRLT-8X-000026' + tag rid: 'SV-VRLT-8X-000026' + tag stig_id: 'VRLT-8X-000026' + tag cci: ['CCI-000163'] + tag nist: ['AU-9'] + + command("find '#{input('catalinaBase')}/logs' -type f -xdev").stdout.split.each do |fname| + describe file(fname) do + it { should_not be_more_permissive_than('0640') } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000036.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000036.rb similarity index 76% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000036.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000036.rb index 5c4c0b8f..7b2f5055 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000036.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000036.rb @@ -1,18 +1,18 @@ -control 'TCSV-00-000036' do - title 'Stack tracing must be disabled.' +control 'VRLT-8X-000036' do + title 'The VMware Aria Operations for Logs tc Server must disable Stack tracing.' desc 'Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, tc Server will provide this call stack information to the requestor which could result in the loss of sensitive information or data that could be used to compromise the system. ' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//Connector[@allowTrace]\" $CATALINA_BASE/conf/server.xml + # xmllint --xpath \"//Connector[@allowTrace]\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml If any data is returned, review each connector element to ensure each connector does not have an \"allowTrace\" setting, or if there, the \"allowTrace\" setting is set to false. If any connector element contains the 'allowTrace = \"true\"' statement, this is a finding. " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Remove the 'allow Trace=\"true\"' statement from the affected nodes. @@ -22,9 +22,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000036' - tag rid: 'SV-TCSV-00-000036' - tag stig_id: 'TCSV-00-000036' + tag gid: 'V-VRLT-8X-000036' + tag rid: 'SV-VRLT-8X-000036' + tag stig_id: 'VRLT-8X-000036' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000057.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000057.rb similarity index 78% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000057.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000057.rb index d00cc306..454c6322 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000057.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000057.rb @@ -1,16 +1,16 @@ -control 'TCSV-00-000057' do - title 'tc Server must be configured to limit data exposure between applications.' +control 'VRLT-8X-000057' do + title 'The VMware Aria Operations for Logs tc Server must be configured to limit data exposure between applications.' desc 'If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another. This setting is configured using environment variable settings. For Linux OS flavors other than Ubuntu, use the relevant OS commands. For Ubuntu, this setting can be managed in the /etc/systemd/system/tomcat.service file via the CATALINA_OPTS variable. This setting is defined in the file and referenced during tc Server startup in order to load environment variables. ' desc 'rationale', '' desc 'check', " At the command prompt, run the following commands: - # grep -i RECYCLE_FACADES $CATALINA_BASE/conf/catalina.properties + # grep -i RECYCLE_FACADES /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties If there are no results, or if 'org.apache.catalina.connector.RECYCLE_FACADES' is not set to true, this is a finding. " desc 'fix', " - Edit the $CATALINA_BASE/conf/catalina.properties file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties file. Ensure the 'org.apache.catalina.connector.RECYCLE_FACADES' line is present, and is set to true. @@ -27,9 +27,9 @@ tag severity: 'medium' tag gtitle: 'SRG-APP-000223-AS-000150' tag satisfies: ['SRG-APP-000516-AS-000237'] - tag gid: 'V-TCSV-00-000057' - tag rid: 'SV-TCSV-00-000057' - tag stig_id: 'TCSV-00-000057' + tag gid: 'V-VRLT-8X-000057' + tag rid: 'SV-VRLT-8X-000057' + tag stig_id: 'VRLT-8X-000057' tag cci: %w(CCI-000366 CCI-001664) tag nist: ['CM-6 b', 'SC-23 (3)'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000062.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000062.rb similarity index 68% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000062.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000062.rb index 5b6bf41b..52937b5f 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000062.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000062.rb @@ -1,16 +1,16 @@ -control 'TCSV-00-000062' do - title 'tc Server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.' +control 'VRLT-8X-000062' do + title 'The VMware Aria Operations for Logs tc Server must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.' desc 'Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the tc Server is hosting. In most cases, it is preferable that the service abort startup on any initialization failure rather than continuing in a degraded, and potentially insecure, state.' desc 'rationale', '' desc 'check', " At the command prompt, run the following commands: - # grep -i EXIT_ON_INIT_FAILURE $CATALINA_BASE/conf/catalina.properties + # grep -i EXIT_ON_INIT_FAILURE /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties If the setting org.apache.catalina.startup.EXIT_ON_INIT_FAILURE is false, or is missing from the file, this is a finding. " desc 'fix', " - Edit the $CATALINA_BASE/conf/catalina.properties file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties file. Add or change the org.apache.catalina.startup.EXIT_ON_INIT_FAILURE setting to equal true. @@ -20,9 +20,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000225-AS-000166' - tag gid: 'V-TCSV-00-000062' - tag rid: 'SV-TCSV-00-000062' - tag stig_id: 'TCSV-00-000062' + tag gid: 'V-VRLT-8X-000062' + tag rid: 'SV-VRLT-8X-000062' + tag stig_id: 'VRLT-8X-000062' tag cci: ['CCI-001190'] tag nist: ['SC-24'] props = parse_config(file("#{input('catalinaBase')}/conf/catalina.properties").content) diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000065.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000065.rb similarity index 80% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000065.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000065.rb index 5458da54..ae099516 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000065.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000065.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000065' do - title 'tc Server must set URIEncoding to UTF-8.' +control 'VRLT-8X-000065' do + title 'The VMware Aria Operations for Logs tc Server must set URIEncoding to UTF-8.' desc " Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. @@ -11,13 +11,13 @@ desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//Connector[not(@URIEncoding)] | //Connector[@URIEncoding != 'UTF-8']\" $CATALINA_BASE/conf/server.xml | awk 1 RS=' nodes. @@ -29,9 +29,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000251-AS-000165' - tag gid: 'V-TCSV-00-000065' - tag rid: 'SV-TCSV-00-000065' - tag stig_id: 'TCSV-00-000065' + tag gid: 'V-VRLT-8X-000065' + tag rid: 'SV-VRLT-8X-000065' + tag stig_id: 'VRLT-8X-000065' tag cci: ['CCI-001310'] tag nist: ['SI-10'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000067.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000067.rb similarity index 81% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000067.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000067.rb index 1602b885..fef8d7d3 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000067.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000067.rb @@ -1,11 +1,11 @@ -control 'TCSV-00-000067' do - title 'ErrorReportValve showServerInfo must be set to false.' +control 'VRLT-8X-000067' do + title 'The VMware Aria Operations for Logs tc Server showServerInfo setting in the ErrorReportValve must be set to false.' desc 'The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types. Disabling showServerInfo will only return the HTTP status code and remove all CSS from the default non-error related HTTP responses.' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[contains(@className, 'ErrorReportValve')]/parent::*\" $CATALINA_BASE/conf/server.xml + # xmllint --xpath \"//*[contains(@className, 'ErrorReportValve')]/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml If the ErrorReportValve element is not defined or showServerInfo is not set to \"false\", this is a finding. @@ -17,7 +17,7 @@ " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Create or modify an ErrorReportValve element nested within each element. @@ -36,9 +36,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000266-AS-000169' - tag gid: 'V-TCSV-00-000067' - tag rid: 'SV-TCSV-00-000067' - tag stig_id: 'TCSV-00-000067' + tag gid: 'V-VRLT-8X-000067' + tag rid: 'SV-VRLT-8X-000067' + tag stig_id: 'VRLT-8X-000067' tag cci: ['CCI-001312'] tag nist: ['SI-11 a'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000070.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000070.rb similarity index 82% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000070.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000070.rb index f98d33a1..0722ac5a 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000070.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000070.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000070' do - title 'tc Server must set an inactive timeout for sessions.' +control 'VRLT-8X-000070' do + title 'The VMware Aria Operations for Logs tc Server must set an inactive timeout for sessions.' desc " Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. @@ -9,7 +9,7 @@ desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[local-name()='session-timeout']/parent::*\" $CATALINA_BASE/conf/web.xml + # xmllint --xpath \"//*[local-name()='session-timeout']/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml If the value of is not \"30\" or less, or is missing, this is a finding. @@ -23,7 +23,7 @@ " desc 'fix', " - Edit the $CATALINA_BASE/conf/web.xml file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml file. Navigate to the node. @@ -45,9 +45,9 @@ tag severity: 'medium' tag gtitle: 'SRG-APP-000295-AS-000263' tag satisfies: ['SRG-APP-000389-AS-000253'] - tag gid: 'V-TCSV-00-000070' - tag rid: 'SV-TCSV-00-000070' - tag stig_id: 'TCSV-00-000070' + tag gid: 'V-VRLT-8X-000070' + tag rid: 'SV-VRLT-8X-000070' + tag stig_id: 'VRLT-8X-000070' tag cci: %w(CCI-002038 CCI-002361) tag nist: %w(AC-12 IA-11) diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000125.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000125.rb similarity index 79% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000125.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000125.rb index d915aaec..c3365e1d 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000125.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000125.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000125' do - title 'tc Server must limit the amount of time that each TCP connection is kept alive.' +control 'VRLT-8X-000125' do + title 'The VMware Aria Operations for Logs tc Server must limit the amount of time that each TCP connection is kept alive.' desc " Denial of Service is one of many threats against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. Mitigation against these threats is to take steps to limit the number of resources that can be consumed in certain ways. @@ -9,12 +9,12 @@ desc 'check', " At the command prompt, run the following command (substitute the appropriate connectionTimeout value): - # xmllint --format --xpath \"//Connector[not(@connectionTimeout)] | //Connector[@connectionTimeout != '20000']\" $CATALINA_BASE/conf/server.xml | awk 1 + # xmllint --format --xpath \"//Connector[not(@connectionTimeout)] | //Connector[@connectionTimeout != '20000']\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml | awk 1 For each connector, if the value of \"connectionTimeout\" is not set to \"20000\" or is missing, this is a finding. " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Navigate to each of the nodes. @@ -32,9 +32,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000001-AS-000001' - tag gid: 'V-TCSV-00-000125' - tag rid: 'SV-TCSV-00-000125' - tag stig_id: 'TCSV-00-000125' + tag gid: 'V-VRLT-8X-000125' + tag rid: 'SV-VRLT-8X-000125' + tag stig_id: 'VRLT-8X-000125' tag cci: ['CCI-000054'] tag nist: ['AC-10'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000126.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000126.rb similarity index 79% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000126.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000126.rb index 23ad839e..b0b4b6a8 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000126.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000126.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000126' do - title 'tc Server must limit the number of times that each TCP connection is kept alive.' +control 'VRLT-8X-000126' do + title 'The VMware Aria Operations for Logs tc Server must limit the number of times that each TCP connection is kept alive.' desc " KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. @@ -12,13 +12,13 @@ desc 'check', " At the command prompt, run the following command (replace maxKeepAliveRequests with appropriate value): - # xmllint --format --xpath \"//Connector[not(@maxKeepAliveRequests)] | //Connector[@maxKeepAliveRequests != '15']\" $CATALINA_BASE/conf/server.xml | awk 1 RS='' ORS='\ + # xmllint --format --xpath \"//Connector[not(@maxKeepAliveRequests)] | //Connector[@maxKeepAliveRequests != '15']\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml | awk 1 RS='' ORS='\ ' For each connector node, if the value of \"maxKeepAliveRequests\" is not set to \"15\" or is missing, this is a finding. " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Navigate to each of the nodes. @@ -30,9 +30,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000001-AS-000001' - tag gid: 'V-TCSV-00-000126' - tag rid: 'SV-TCSV-00-000126' - tag stig_id: 'TCSV-00-000126' + tag gid: 'V-VRLT-8X-000126' + tag rid: 'SV-VRLT-8X-000126' + tag stig_id: 'VRLT-8X-000126' tag cci: ['CCI-000054'] tag nist: ['AC-10'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000127.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000127.rb similarity index 63% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000127.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000127.rb index 245fc513..8672a588 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000127.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000127.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000127' do - title 'tc Server must set the setCharacterEncodingFilter filter.' +control 'VRLT-8X-000127' do + title 'The VMware Aria Operations for Logs tc Server must set the setCharacterEncodingFilter filter.' desc " Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. @@ -11,14 +11,14 @@ desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[contains(text(), 'SetCharacterEncodingFilter')]/parent::*\" $CATALINA_BASE/conf/web.xml + # xmllint --xpath \"//*[contains(text(), 'SetCharacterEncodingFilter')]/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml Verify that the 'setCharacterEncodingFilter' has been specified. If the \"setCharacterEncodingFilter\" filter has not been specified or is commented out, this is a finding. " desc 'fix', " - Edit the $CATALINA_BASE/conf/web.xml file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml file. Configure the node with the node listed below. @@ -31,10 +31,16 @@ ignore - false + true true + + setCharacterEncodingFilter + /* + + + Note: The \"\" and \"\" nodes may be in a different order. Restart the service: # systemctl restart loginsight.service @@ -42,17 +48,19 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000251-AS-000165' - tag gid: 'V-TCSV-00-000127' - tag rid: 'SV-TCSV-00-000127' - tag stig_id: 'TCSV-00-000127' + tag gid: 'V-VRLT-8X-000127' + tag rid: 'SV-VRLT-8X-000127' + tag stig_id: 'VRLT-8X-000127' tag cci: ['CCI-001310'] tag nist: ['SI-10'] # Open web.xml xmlconf = xml("#{input('catalinaBase')}/conf/web.xml") - # find the SetCharacterEncodingFilter, if there, then find the 'encoding' parent node (init-param) and get its param-value - describe xmlconf["//*[contains(text(), 'SetCharacterEncodingFilter')]/parent::*/init-param[param-name = 'encoding']/param-value"] do - it { should eq ['UTF-8'] } + describe xmlconf do + its('/web-app/filter-mapping[filter-name="setCharacterEncodingFilter"]/url-pattern') { should cmp '/*' } + its('/web-app/filter[filter-name="setCharacterEncodingFilter"]/filter-class') { should cmp 'org.apache.catalina.filters.SetCharacterEncodingFilter' } + its('/web-app/filter[filter-name="setCharacterEncodingFilter"]/init-param[param-name="encoding"]/param-value') { should cmp 'UTF-8' } + its('/web-app/filter[filter-name="setCharacterEncodingFilter"]/init-param[param-name="ignore"]/param-value') { should cmp 'true' } end end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000129.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000129.rb similarity index 76% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000129.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000129.rb index bc8b4206..9a57f792 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000129.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000129.rb @@ -1,15 +1,15 @@ -control 'TCSV-00-000129' do - title 'Cookies must have http-only flag set.' +control 'VRLT-8X-000129' do + title 'The VMware Aria Operations for Logs tc Server must have the http-only flag set for cookies.' desc " It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header. When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is forbidden. - The $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the element. + The web.xml file controls how all applications handle cookies via the element. " desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[local-name()='cookie-config']/parent::*\" $CATALINA_BASE/conf/web.xml + # xmllint --xpath \"//*[local-name()='cookie-config']/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml If the command returns no results or if the element is not set to true, this is a finding. @@ -23,7 +23,7 @@ " desc 'fix', " - Edit the $CATALINA_BASE/conf/web.xml file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml file. If the cookie-config section does not exist it must be added. Add or modify the setting and set to true. @@ -39,9 +39,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000033-AS-000024' - tag gid: 'V-TCSV-00-000129' - tag rid: 'SV-TCSV-00-000129' - tag stig_id: 'TCSV-00-000129' + tag gid: 'V-VRLT-8X-000129' + tag rid: 'SV-VRLT-8X-000129' + tag stig_id: 'VRLT-8X-000129' tag cci: ['CCI-000213'] tag nist: ['AC-3'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000130.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000130.rb similarity index 86% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000130.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000130.rb index d3359106..f180435c 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000130.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000130.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000130' do - title 'DefaultServlet must be set to readonly for PUT and DELETE.' +control 'VRLT-8X-000130' do + title 'The VMware Aria Operations for Logs tc Server DefaultServlet must be set to readonly for PUT and DELETE.' desc " The DefaultServlet is a servlet provided with tc Server. It is called when no other suitable page can be displayed to the client. It serves static resources as well as directory listings and is declared globally in $CATALINA_BASE/conf/web.xml. @@ -11,7 +11,7 @@ desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[contains(text(), 'DefaultServlet')]/parent::*\" $CATALINA_BASE/conf/web.xml + # xmllint --xpath \"//*[contains(text(), 'DefaultServlet')]/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml If the \"readOnly\" param-value for the \"DefaultServlet\" servlet class is set to \"false\", this is a finding. @@ -30,7 +30,7 @@ " desc 'fix', " - Edit the $CATALINA_BASE/conf/web.xml file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml file. Ensure the \"readOnly\" param-value for the \"DefaultServlet\" servlet class is set to \"true\" if present. @@ -54,9 +54,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000033-AS-000024' - tag gid: 'V-TCSV-00-000130' - tag rid: 'SV-TCSV-00-000130' - tag stig_id: 'TCSV-00-000130' + tag gid: 'V-VRLT-8X-000130' + tag rid: 'SV-VRLT-8X-000130' + tag stig_id: 'VRLT-8X-000130' tag cci: ['CCI-000213'] tag nist: ['AC-3'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000131.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000131.rb similarity index 80% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000131.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000131.rb index f267e7f0..de189362 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000131.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000131.rb @@ -1,12 +1,12 @@ -control 'TCSV-00-000131' do - title 'Connectors must be secured.' +control 'VRLT-8X-000131' do + title 'The VMware Aria Operations for Logs tc Server must ensure that Connectors are secured for connectors that do not redirect to a secure port.' desc 'The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modification of received data. To secure an HTTP connector, both the secure and scheme flags must be set.' desc 'rationale', '' desc 'check', " At the command prompt, run the following commands: - # xmllint --xpath \"//Connector[not(@scheme)] | //Connector[@scheme != 'https']\" $CATALINA_BASE/conf/server.xml - # xmllint --xpath \"//Connector[not(@secure)] | //Connector[@secure!= 'true']\" $CATALINA_BASE/conf/server.xml + # xmllint --xpath \"//Connector[not(@scheme)] | //Connector[@scheme != 'https']\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml + # xmllint --xpath \"//Connector[not(@secure)] | //Connector[@secure!= 'true']\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml Examine each element. @@ -15,7 +15,7 @@ If the secure flag is not set to \"true\" and/or the scheme flag is not set to \"https\" for each HTTP connector element, this is a finding. " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Locate each element that is not a redirect to a secure port and is lacking a secure setting. @@ -31,9 +31,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000033-AS-000024' - tag gid: 'V-TCSV-00-000131' - tag rid: 'SV-TCSV-00-000131' - tag stig_id: 'TCSV-00-000131' + tag gid: 'V-VRLT-8X-000131' + tag rid: 'SV-VRLT-8X-000131' + tag stig_id: 'VRLT-8X-000131' tag cci: ['CCI-000213'] tag nist: ['AC-3'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000135.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000135.rb similarity index 78% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000135.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000135.rb index 95804eba..7975af86 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000135.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000135.rb @@ -1,5 +1,5 @@ -control 'TCSV-00-000135' do - title 'Unapproved connectors must be disabled.' +control 'VRLT-8X-000135' do + title 'The VMware Aria Operations for Logs tc Server must disable unapproved connectors.' desc " Connectors are how tc Server receives requests, passes them to hosted web applications, and then sends back the results to the requestor. Tomcat provides HTTP and Apache JServ Protocol (AJP) connectors and makes these protocols available via configured network ports. Unapproved connectors provide open network connections to either of these protocols and put the system at risk. @@ -9,7 +9,7 @@ desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//Connector[not(@redirectPort)]/@port\" $CATALINA_BASE/conf/server.xml | awk 1 RS=' ' ORS='\ + # xmllint --xpath \"//Connector[not(@redirectPort)]/@port\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml | awk 1 RS=' ' ORS='\ ' Review the results and verify all connectors that are not redirects and their associated network ports are approved in the SSP. @@ -17,7 +17,7 @@ If connectors are found but are not approved in the SSP, this is a finding. " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Remove any unapproved connectors. @@ -27,9 +27,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000135' - tag rid: 'SV-TCSV-00-000135' - tag stig_id: 'TCSV-00-000135' + tag gid: 'V-VRLT-8X-000135' + tag rid: 'SV-VRLT-8X-000135' + tag stig_id: 'VRLT-8X-000135' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000136.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000136.rb similarity index 81% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000136.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000136.rb index 7473dff4..35216133 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000136.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000136.rb @@ -1,16 +1,16 @@ -control 'TCSV-00-000136' do - title 'DefaultServlet debug parameter must be disabled.' +control 'VRLT-8X-000136' do + title 'The VMware Aria Operations for Logs tc Server must disable the debug parameter.' desc 'The DefaultServlet serves static resources as well as serves the directory listings (if directory listings are enabled). It is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the "debug" parameter set to 0, which is disabled. Changing this to a value of 1 or higher sets the servlet to print debug level information. DefaultServlet debug setting must be set to 0 (disabled).' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[contains(text(), 'DefaultServlet')]/parent::*\" $CATALINA_BASE/conf/web.xml + # xmllint --xpath \"//*[contains(text(), 'DefaultServlet')]/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml If the \"debug\" param-value for the \"DefaultServlet\" servlet class does not equal 0, this is a finding. " desc 'fix', " - Edit the $CATALINA_BASE/conf/web.xml file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml file. Examine the elements within the element. @@ -33,9 +33,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000136' - tag rid: 'SV-TCSV-00-000136' - tag stig_id: 'TCSV-00-000136' + tag gid: 'V-VRLT-8X-000136' + tag rid: 'SV-VRLT-8X-000136' + tag stig_id: 'VRLT-8X-000136' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000137.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000137.rb similarity index 79% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000137.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000137.rb index 987eda02..85f27bda 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000137.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000137.rb @@ -1,16 +1,16 @@ -control 'TCSV-00-000137' do - title 'DefaultServlet directory listings parameter must be disabled.' +control 'VRLT-8X-000137' do + title 'The VMware Aria Operations for Logs tc Server must disable the DefaultServlet directory listings parameter.' desc 'The DefaultServlet serves static resources as well as directory listings. It is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the directory "listings" parameter set to disabled. If no welcome file is present and the "listings" setting is enabled, a directory listing is shown. Directory listings must be disabled.' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//*[contains(text(), 'DefaultServlet')]/parent::*\" $CATALINA_BASE/conf/web.xml + # xmllint --xpath \"//*[contains(text(), 'DefaultServlet')]/parent::*\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml If the \"listings\" param-value for the \"DefaultServlet\" servlet class is not set to false, this is a finding. " desc 'fix', " - Edit the $CATALINA_BASE/conf/web.xml file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/web.xml file. Examine the elements within the element, ensure the \"listings\" is set to \"false\" (without quotes). @@ -29,9 +29,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000137' - tag rid: 'SV-TCSV-00-000137' - tag stig_id: 'TCSV-00-000137' + tag gid: 'V-VRLT-8X-000137' + tag rid: 'SV-VRLT-8X-000137' + tag stig_id: 'VRLT-8X-000137' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000140.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000140.rb similarity index 74% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000140.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000140.rb index 868cc9b3..03b858db 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000140.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000140.rb @@ -1,18 +1,18 @@ -control 'TCSV-00-000140' do - title 'xpoweredBy attribute must be disabled.' +control 'VRLT-8X-000140' do + title 'The VMware Aria Operations for Logs tc Server must disable the xpoweredBy attribute.' desc 'Individual connectors can be configured to display the tc Server info to clients. This information can be used to identify tc Server versions which can be useful to attackers for identifying vulnerable versions of tc Server. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass server info to clients. The default value for xpoweredBy is false.' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # xmllint --xpath \"//Connector[@xpoweredBy]\" $CATALINA_BASE/conf/server.xml + # xmllint --xpath \"//Connector[@xpoweredBy]\" /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/server.xml If no results are returned, this is not a finding. If any connector elements contain xpoweredBy=\"true\", this is a finding. " desc 'fix', " - Edit the $CATALINA_HOME/server.xml file. + Edit the /usr/lib/loginsight/application/etc/3rd_config/server.xml file. Examine each element. @@ -32,9 +32,9 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000140' - tag rid: 'SV-TCSV-00-000140' - tag stig_id: 'TCSV-00-000140' + tag gid: 'V-VRLT-8X-000140' + tag rid: 'SV-VRLT-8X-000140' + tag stig_id: 'VRLT-8X-000140' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000141.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000141.rb new file mode 100644 index 00000000..5b775dbc --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000141.rb @@ -0,0 +1,30 @@ +control 'VRLT-8X-000141' do + title 'The VMware Aria Operations for Logs tc Server must remove example applications.' + desc 'tc Server provides example applications, documentation, and other directories in the default installation which do not serve a production use. These files must be deleted.' + desc 'rationale', '' + desc 'check', " + At the command prompt, run the following command: + + # ls -l /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/examples + + If the examples folder exists or contains any content, this is a finding. + " + desc 'fix', " + At the command prompt, run the following command: + + # rm -rf /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/examples + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-APP-000141-AS-000095' + tag gid: 'V-VRLT-8X-000141' + tag rid: 'SV-VRLT-8X-000141' + tag stig_id: 'VRLT-8X-000141' + tag cci: ['CCI-000381'] + tag nist: ['CM-7 a'] + + # Make sure the examples directory does not exist + describe directory("#{input('catalinaBase')}/webapps/examples").exist? do + it { should cmp 'false' } + end +end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000142.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000142.rb similarity index 77% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000142.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000142.rb index bbf8e444..f69ae9b9 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000142.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000142.rb @@ -1,11 +1,11 @@ -control 'TCSV-00-000142' do - title ' tc Server default ROOT web application must be removed.' +control 'VRLT-8X-000142' do + title 'The VMware Aria Operations for Logs tc Server default ROOT web application must be removed or replaced.' desc 'The default ROOT web application includes the version of tc Server that is being used, links to tc Server documentation, examples, FAQs, and mailing lists. The default ROOT web application must be removed from a publicly accessible instance and a more appropriate default page shown to users. It is acceptable to replace the contents of default ROOT with a new default web application.' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # ls -l $CATALINA_BASE/webapps/ROOT + # ls -l /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/ROOT Review the index.jsp file. Also review the RELEASE-NOTES.txt file. Look for content that describes the application as being licensed by the Apache Software Foundation. Check the index.jsp for other verbiage that indicates the application is part of the tc Server. Alternatively, use a web browser and access the default web application and determine if the website application in the ROOT folder is provided with the server. @@ -14,19 +14,19 @@ desc 'fix', " WARNING: Removing the ROOT folder without replacing the content with valid web based content will result in an error page being displayed to the browser when the browser lands on the default page. - Either remove the files contained in $CATALINA_BASE/webapps/ROOT folder or replace the content of the folder with a new application that serves as the new default server application. + Either remove the files contained in /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/ROOT folder or replace the content of the folder with a new application that serves as the new default server application. " impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000142' - tag rid: 'SV-TCSV-00-000142' - tag stig_id: 'TCSV-00-000142' + tag gid: 'V-VRLT-8X-000142' + tag rid: 'SV-VRLT-8X-000142' + tag stig_id: 'VRLT-8X-000142' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] describe 'Release Notes txt file must not be present in core location' do - subject { file("#{input('catalinaHome')}/webapps/ROOT/RELEASE-NOTES.txt").exist? } + subject { file("#{input('catalinaBase')}/webapps/ROOT/RELEASE-NOTES.txt").exist? } it { should eq false } end @@ -35,9 +35,9 @@ it { should eq false } end - if file("#{input('catalinaHome')}/webapps/ROOT/index.jsp").exist? + if file("#{input('catalinaBase')}/webapps/ROOT/index.jsp").exist? describe 'Sample content must be removed from core location - checking index.jsp file' do - subject { file("#{input('catalinaHome')}/webapps/ROOT/index.jsp").content } + subject { file("#{input('catalinaBase')}/webapps/ROOT/index.jsp").content } it { should_not include('Tomcat') } it { should_not include('Apache') } end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000143.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000143.rb similarity index 59% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000143.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000143.rb index 83271a4e..1416b905 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000143.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000143.rb @@ -1,30 +1,30 @@ -control 'TCSV-00-000143' do - title 'Documentation must be removed.' +control 'VRLT-8X-000143' do + title 'The VMware Aria Operations for Logs tc Server documentation must be removed.' desc 'tc Server provides documentation and other directories in the default installation which do not serve a production use. These files must be deleted.' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # ls -l $CATALINA_HOME/webapps/docs + # ls -l /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/docs If the docs folder exists or contains any content, this is a finding. " desc 'fix', " At the command prompt, run the following command: - # rm -rf $CATALINA_HOME/webapps/docs + # rm -rf /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/docs " impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000143' - tag rid: 'SV-TCSV-00-000143' - tag stig_id: 'TCSV-00-000143' + tag gid: 'V-VRLT-8X-000143' + tag rid: 'SV-VRLT-8X-000143' + tag stig_id: 'VRLT-8X-000143' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] # Make sure the docs directory does not exist - describe directory("#{input('catalinaHome')}/webapps/docs").exist? do + describe directory("#{input('catalinaBase')}/webapps/docs").exist? do it { should cmp 'false' } end end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000151.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000151.rb similarity index 55% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000151.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000151.rb index 44ba8577..728ed994 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000151.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000151.rb @@ -1,22 +1,23 @@ -control 'TCSV-00-000151' do - title 'ALLOW_BACKSLASH must be set to false.' +control 'VRLT-8X-000151' do + title 'The VMware Aria Operations for Logs tc Server must set ALLOW_BACKSLASH to false.' desc "When tc Server is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing \"/\\../\" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If allow_backslash is true the '\\' character will be permitted as a path delimiter. The default value for the setting is false but tc Server should always be configured as if no proxy restricting context access was used and allow_backslash should be set to false to prevent directory traversal style attacks. This setting can create operability issues with non-compliant clients. " desc 'rationale', '' desc 'check', " - At the command prompt, run the following command: + At the command prompt, run the following commands: - # grep -i ALLOW_BACKSLASH $CATALINA_BASE/conf/catalina.properties + # grep -i ALLOW_BACKSLASH /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties - If the setting org.apache.catalina.connector.ALLOW_BACKSLASH is present and set to true, this is a finding. + If there are no results, this is not a finding. + + If the setting org.apache.catalina.connector.ALLOW_BACKSLASH is present and not set to false, this is a finding. " desc 'fix', " - Edit the $CATALINA_BASE/conf/catalina.properties file. + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties file. - Add or change the \"org.apache.catalina.connector.ALLOW_BACKSLASH\" setting to \"false\". + Either remove or edit the org.apache.catalina.connector.ALLOW_BACKSLASH setting. If present, ensure the value is set to false. - EXAMPLE catalina.properties: + EXAMPLE: ... - org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true org.apache.catalina.connector.ALLOW_BACKSLASH=false ... @@ -26,16 +27,21 @@ impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000516-AS-000237' - tag gid: 'V-TCSV-00-000151' - tag rid: 'SV-TCSV-00-000151' - tag stig_id: 'TCSV-00-000151' + tag gid: 'V-VRLT-8X-000151' + tag rid: 'SV-VRLT-8X-000151' + tag stig_id: 'VRLT-8X-000151' tag cci: ['CCI-000366'] tag nist: ['CM-6 b'] # Check catalina.properties file - props = parse_config(file("#{input('catalinaBase')}/conf/catalina.properties").content) + props = parse_config(file("#{input('catalinaBase')}/conf/catalina.properties").content).params['org.apache.catalina.connector.ALLOW_BACKSLASH'] - describe props do - its(['org.apache.catalina.connector.ALLOW_BACKSLASH']) { should cmp 'false' } + describe.one do + describe props do + it { should cmp false } + end + describe props do + it { should cmp nil } + end end end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000152.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000152.rb new file mode 100644 index 00000000..5ec7a36d --- /dev/null +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000152.rb @@ -0,0 +1,45 @@ +control 'VRLT-8X-000152' do + title 'The VMware Aria Operations for Logs tc Server must set ENFORCE_ENCODING_IN_GET_WRITER to true.' + desc 'Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.' + desc 'rationale', '' + desc 'check', " + At the command prompt, run the following command: + + # grep -i ENFORCE_ENCODING /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties + + If there are no results, this is not a finding. + + If the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER is present and not set to true, this is a finding. + " + desc 'fix', " + Edit the /usr/lib/loginsight/application/3rd_party/apache-tomcat/conf/catalina.properties file. + + Either remove or edit the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER setting. If present, ensure the value is set to true. + + EXAMPLE: + ... + org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true + ... + + Restart the service: + # systemctl restart loginsight.service + " + impact 0.5 + tag severity: 'medium' + tag gtitle: 'SRG-APP-000516-AS-000237' + tag gid: 'V-VRLT-8X-000152' + tag rid: 'SV-VRLT-8X-000152' + tag stig_id: 'VRLT-8X-000152' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + # Check catalina.properties file + props = parse_config(file("#{input('catalinaBase')}/conf/catalina.properties").content).params['org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER'] + describe.one do + describe props do + it { should cmp true } + end + describe props do + it { should cmp nil } + end + end +end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000154.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000154.rb similarity index 63% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000154.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000154.rb index 9359579b..e2b55012 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000154.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000154.rb @@ -1,30 +1,30 @@ -control 'TCSV-00-000154' do - title 'The tc Server manager webapp must be removed.' +control 'VRLT-8X-000154' do + title 'The VMware Aria Operations for Logs tc Server manager webapp must be removed.' desc 'tc Server provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # ls -l $CATALINA_HOME/webapps/manager + # ls -l /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/manager If the manager folder exists or contains any content, this is a finding. " desc 'fix', " At the command prompt, run the following command: - # rm -rf $CATALINA_HOME/webapps/manager + # rm -rf /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/manager " impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000154' - tag rid: 'SV-TCSV-00-000154' - tag stig_id: 'TCSV-00-000154' + tag gid: 'V-VRLT-8X-000154' + tag rid: 'SV-VRLT-8X-000154' + tag stig_id: 'VRLT-8X-000154' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] # Make sure the manager directory does not exist - describe directory("#{input('catalinaHome')}/webapps/manager").exist? do + describe directory("#{input('catalinaBase')}/webapps/manager").exist? do it { should cmp 'false' } end end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000155.rb b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000155.rb similarity index 63% rename from aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000155.rb rename to aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000155.rb index 5356dc4b..336f3308 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/controls/TCSV-00-000155.rb +++ b/aria/operations-for-logs/8.x/inspec/tcserver/controls/VRLT-8X-000155.rb @@ -1,30 +1,30 @@ -control 'TCSV-00-000155' do - title 'The tc Server host-manager webapp must be removed.' +control 'VRLT-8X-000155' do + title 'The VMware Aria Operations for Logs tc Server host-manager webapp must be removed.' desc 'tc Server provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The host-manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.' desc 'rationale', '' desc 'check', " At the command prompt, run the following command: - # ls -l $CATALINA_HOME/webapps/host-manager + # ls -l /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/host-manager If the manager folder exists or contains any content, this is a finding. " desc 'fix', " At the command prompt, run the following command: - # rm -rf $CATALINA_HOME/webapps/host-manager + # rm -rf /usr/lib/loginsight/application/3rd_party/apache-tomcat/webapps/host-manager " impact 0.5 tag severity: 'medium' tag gtitle: 'SRG-APP-000141-AS-000095' - tag gid: 'V-TCSV-00-000155' - tag rid: 'SV-TCSV-00-000155' - tag stig_id: 'TCSV-00-000155' + tag gid: 'V-VRLT-8X-000155' + tag rid: 'SV-VRLT-8X-000155' + tag stig_id: 'VRLT-8X-000155' tag cci: ['CCI-000381'] tag nist: ['CM-7 a'] # Make sure the host-manager directory does not exist - describe directory("#{input('catalinaHome')}/webapps/host-manager").exist? do + describe directory("#{input('catalinaBase')}/webapps/host-manager").exist? do it { should cmp 'false' } end end diff --git a/aria/operations-for-logs/8.x/inspec/tcserver/inspec.yml b/aria/operations-for-logs/8.x/inspec/tcserver/inspec.yml index d88303d0..743b49db 100644 --- a/aria/operations-for-logs/8.x/inspec/tcserver/inspec.yml +++ b/aria/operations-for-logs/8.x/inspec/tcserver/inspec.yml @@ -1,11 +1,11 @@ -name: vRealize Log Insight Appliance 8.x tc Server Profile -title: vRealize Log Insight Appliance 8.x tc Server Profile -maintainer: VMTA -copyright: 2023 -copyright_email: stigs@vmware.com +name: VMware Aria Operations for Logs Appliance 8.x tc Server Profile +title: VMware Aria Operations for Logs Appliance 8.x tc Server Profile +maintainer: VTAE +copyright: VTAE 2024 +copyright_email: stigs@broadcom.com license: Apache-2.0 summary: An InSpec Compliance Profile -version: 1.0.3 +version: 1.0.4 inputs: - name: catalinaHome From b2c3b78c67cf161cdd31dfd1ce6d78aeca310e89 Mon Sep 17 00:00:00 2001 From: darrickw Date: Wed, 21 Feb 2024 17:04:20 -0700 Subject: [PATCH 2/2] linting fixes --- aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb b/aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb index 2c63ed65..6b3d3cd5 100644 --- a/aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb +++ b/aria/operations-for-logs/8.x/inspec/photon/libraries/pam.rb @@ -156,11 +156,11 @@ def initialize(config_target) end def services - collect { |l| l.service }.sort.uniq + collect(&:service).sort.uniq end def service - svcs = collect { |l| l.service }.sort.uniq + svcs = collect(&:service).sort.uniq if svcs.length > 1 raise PamError, %(More than one service found: '[#{svcs.join("', '")}]') end @@ -251,7 +251,7 @@ def include_exactly?(rules, opts = {}) # # @return [Array[String]] def to_a - sort_by { |l| l.type }.map { |l| l.to_s } + sort_by(&:type).map(&:to_s) end # Convert the data structure to a String