From shawn at redhat.com Fri Jun 17 17:47:53 2016
Content-Type: multipart/mixed; boundary="===============3712085126929987884=="
MIME-Version: 1.0
From: Shawn Wells <shawn at redhat.com>
To: scap-security-guide at lists.fedorahosted.org
Subject: Re: Issue with file_permissions_ungroupowned in CentOS 5
Date: Fri, 17 Jun 2016 13:47:38 -0400
Message-ID: <576437BA.2030300@redhat.com>
In-Reply-To: CAB6RzTu7o4+a5H-uM=Rv4CqtTaZaYgndDYtJ67p3tw+AWe1XBQ@mail.gmail.com

--===============3712085126929987884==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable



On 6/15/16 2:09 PM, Rodolfo Mart=C3=ADnez wrote:
> Here is the relevant part of the file_permissions_ungroupowned OVAL test:
>
>   <unix:file_object comment=3D"all local files" =

> id=3D"file_permissions_ungroupowned_object" version=3D"1">
>     <unix:behaviors recurse=3D"directories" recurse_direction=3D"down" =

> max_depth=3D"-1" recurse_file_system=3D"local" />
>     <unix:path operation=3D"equals">/</unix:path>
>     <unix:filename operation=3D"pattern match">.*</unix:filename>
>     <filter =

> action=3D"exclude">file_permissions_ungroupowned_list_match</filter>
>   </unix:file_object>
>
> If I create 'aaa' file in /tmp and chage the GID to a non-existing =

> group in /etc/group, the test should fail, but it passes.
>
> If I change the file name pattern match from '.*' to 'a.*' or change =

> the path to /tmp, the test fails correctly.
>
> Is there any limitation in the amount of files that oscap can process?
>
> Thanks
>
>
> --
> Rodolfo Mart=C3=ADnez
>
> On Tue, Jun 14, 2016 at 11:55 PM, Rodolfo Mart=C3=ADnez <rmtzcx(a)gmail.c=
om =

> <mailto:rmtzcx(a)gmail.com>> wrote:
>
>     Hi,
>
>     I am having an issue with OVAL test file_permissions_ungroupowned
>     in CentOS 5. I believe it is a bug in the oscap version that it is
>     available in CentOS 5 (kind of old, v1.0.8).
>
>     Here is the procedure I am doing:
>
>     1. Download and build scap-security-guide for RHEL5 in my Fedora
>     23 machine; then copy the output to my CentOS 5 testing server:
>
>     wget
>     https://github.com/OpenSCAP/scap-security-guide/archive/v0.1.29.tar.gz
>     -O scap-security-guide-0.1.29.tar.gz
>
>     tar -zxf scap-security-guide-0.1.29.tar.gz
>
>     make -C scap-security-guide-0.1.29/RHEL/5 dist
>
>     scp -r scap-security-guide-0.1.29/RHEL/5/dist/content centos5-test:
>
>     Now in the CentOS 5 testing server, create a tailoring file to run
>     file_permissions_ungroupowned test alone:
>
>     cat >ssg-centos5-xccdf-tailoring.xml <<"EOF"
>     <?xml version=3D"1.0" encoding=3D"UTF-8"?>
>     <Tailoring xmlns=3D"http://checklists.nist.gov/xccdf/1.2"
>     id=3D"xccdf_ssg-centos5_tailoring_xccdf">
>         <version time=3D"2016-06-14T19:50:57">1</version>
>         <Profile id=3D"xccdf_my_profile_stig-centos5-upstream_tailored">
>             <title>CentOS 5 [TAILORED]</title>
>             <select idref=3D"file_permissions_ungroupowned"
>     selected=3D"true"/>
>         </Profile>
>     </Tailoring>
>     EOF
>
>     Create a file without corresponding group in /etc/group:
>
>     touch /an_unowned_group_file
>
>     chgrp 4567 /an_unowned_group_file
>
>     find / -nogroup 2>/dev/null
>     /an_unowned_group_file <-- Check that it is found
>
>
>     Finally run oscap:
>
>     oscap xccdf eval \
>         --tailoring-file ssg-centos5-xccdf-tailoring.xml \
>         --profile xccdf_my_profile_stig-centos5-upstream_tailored \
>         --cpe content/ssg-rhel5-cpe-dictionary.xml \
>         content/ssg-centos5-xccdf.xml
>
>     ... and output is:
>
>     Title   Ensure All Files Are Owned by a Group
>     Rule    file_permissions_ungroupowned
>     Ident   GEN001170
>     Result  pass
>
>     I would expect that the test fails since there is at least one
>     file without existing group.
>
>     I took a look at the OVAL definition
>     scap-security-guide-0.1.29/RHEL/5/input/oval/file_permissions_ungroup=
owned.xml
>     but I do not see anything wrong.
>
>     Do you have any idea why this test is passing when it should fail?
>
>     Regards
>

Hi Rodolfo,

     Thanks for reporting this! I've updated the RHEL5 content to use =

the updated file_permissions_ungroupowned check:
https://github.com/OpenSCAP/scap-security-guide/pull/1296

     That should get merged in the next few days pending peer review. If =

you could test the PR and verify this works for you, that'd be great!

Shawn

--===============3712085126929987884==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"

PGh0bWw+CiAgPGhlYWQ+CiAgICA8bWV0YSBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRm
LTgiIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSI+CiAgPC9oZWFkPgogIDxib2R5IGJnY29sb3I9
IiNGRkZGRkYiIHRleHQ9IiMwMDAwMDAiPgogICAgPGJyPgogICAgPGJyPgogICAgPGRpdiBjbGFz
cz0ibW96LWNpdGUtcHJlZml4Ij5PbiA2LzE1LzE2IDI6MDkgUE0sIFJvZG9sZm8gTWFydMOtbmV6
CiAgICAgIHdyb3RlOjxicj4KICAgIDwvZGl2PgogICAgPGJsb2NrcXVvdGUKY2l0ZT0ibWlkOkNB
QjZSelR1N280K2E1SC11TT1SdjRDcXRUYVphWWduZERZdEo2N3AzdHcrQVdlMVhCUUBtYWlsLmdt
YWlsLmNvbSIKICAgICAgdHlwZT0iY2l0ZSI+CiAgICAgIDxkaXYgZGlyPSJsdHIiPgogICAgICAg
IDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAgICAgICBzdHlsZT0iZm9udC1mYW1pbHk6
dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXplOnNtYWxsIj5IZXJlIGlzCiAgICAgICAgICB0aGUg
cmVsZXZhbnQgcGFydCBvZiB0aGUgZmlsZV9wZXJtaXNzaW9uc191bmdyb3Vwb3duZWQgT1ZBTAog
ICAgICAgICAgdGVzdDo8YnI+CiAgICAgICAgICA8YnI+CiAgICAgICAgICDCoCAmbHQ7dW5peDpm
aWxlX29iamVjdCBjb21tZW50PSJhbGwgbG9jYWwgZmlsZXMiCiAgICAgICAgICBpZD0iZmlsZV9w
ZXJtaXNzaW9uc191bmdyb3Vwb3duZWRfb2JqZWN0IiB2ZXJzaW9uPSIxIiZndDs8YnI+CiAgICAg
ICAgICDCoMKgwqAgJmx0O3VuaXg6YmVoYXZpb3JzIHJlY3Vyc2U9ImRpcmVjdG9yaWVzIgogICAg
ICAgICAgcmVjdXJzZV9kaXJlY3Rpb249ImRvd24iIG1heF9kZXB0aD0iLTEiCiAgICAgICAgICBy
ZWN1cnNlX2ZpbGVfc3lzdGVtPSJsb2NhbCIgLyZndDs8YnI+CiAgICAgICAgICDCoMKgwqAgJmx0
O3VuaXg6cGF0aCBvcGVyYXRpb249ImVxdWFscyImZ3Q7LyZsdDsvdW5peDpwYXRoJmd0Ozxicj4K
ICAgICAgICAgIMKgwqDCoCAmbHQ7dW5peDpmaWxlbmFtZSBvcGVyYXRpb249InBhdHRlcm4KICAg
ICAgICAgIG1hdGNoIiZndDsuKiZsdDsvdW5peDpmaWxlbmFtZSZndDs8YnI+CiAgICAgICAgICDC
oMKgwqAgJmx0O2ZpbHRlcgphY3Rpb249ImV4Y2x1ZGUiJmd0O2ZpbGVfcGVybWlzc2lvbnNfdW5n
cm91cG93bmVkX2xpc3RfbWF0Y2gmbHQ7L2ZpbHRlciZndDs8YnI+CiAgICAgICAgICDCoCAmbHQ7
L3VuaXg6ZmlsZV9vYmplY3QmZ3Q7PGJyPgogICAgICAgICAgPGJyPgogICAgICAgIDwvZGl2Pgog
ICAgICAgIDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAgICAgICBzdHlsZT0iZm9udC1m
YW1pbHk6dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXplOnNtYWxsIj5JZiBJCiAgICAgICAgICBj
cmVhdGUgJ2FhYScgZmlsZSBpbiAvdG1wIGFuZCBjaGFnZSB0aGUgR0lEIHRvIGEgbm9uLWV4aXN0
aW5nCiAgICAgICAgICBncm91cCBpbiAvZXRjL2dyb3VwLCB0aGUgdGVzdCBzaG91bGQgZmFpbCwg
YnV0IGl0IHBhc3Nlcy48YnI+CiAgICAgICAgICA8YnI+CiAgICAgICAgPC9kaXY+CiAgICAgICAg
PGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIKICAgICAgICAgIHN0eWxlPSJmb250LWZhbWlseTp0
YWhvbWEsc2Fucy1zZXJpZjtmb250LXNpemU6c21hbGwiPklmIEkKICAgICAgICAgIGNoYW5nZSB0
aGUgZmlsZSBuYW1lIHBhdHRlcm4gbWF0Y2ggZnJvbSAnLionIHRvICdhLionIG9yCiAgICAgICAg
ICBjaGFuZ2UgdGhlIHBhdGggdG8gL3RtcCwgdGhlIHRlc3QgZmFpbHMgY29ycmVjdGx5Ljxicj4K
ICAgICAgICAgIDxicj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJnbWFpbF9k
ZWZhdWx0IgogICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5zLXNlcmlmO2Zv
bnQtc2l6ZTpzbWFsbCI+SXMgdGhlcmUKICAgICAgICAgIGFueSBsaW1pdGF0aW9uIGluIHRoZSBh
bW91bnQgb2YgZmlsZXMgdGhhdCBvc2NhcCBjYW4gcHJvY2Vzcz88YnI+CiAgICAgICAgICA8YnI+
CiAgICAgICAgPC9kaXY+CiAgICAgICAgPGRpdiBjbGFzcz0iZ21haWxfZGVmYXVsdCIKICAgICAg
ICAgIHN0eWxlPSJmb250LWZhbWlseTp0YWhvbWEsc2Fucy1zZXJpZjtmb250LXNpemU6c21hbGwi
PlRoYW5rczxicj4KICAgICAgICA8L2Rpdj4KICAgICAgICA8ZGl2IGNsYXNzPSJnbWFpbF9kZWZh
dWx0IgogICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5zLXNlcmlmO2ZvbnQt
c2l6ZTpzbWFsbCI+PGJyPgogICAgICAgIDwvZGl2PgogICAgICA8L2Rpdj4KICAgICAgPGRpdiBj
bGFzcz0iZ21haWxfZXh0cmEiPjxiciBjbGVhcj0iYWxsIj4KICAgICAgICA8ZGl2PgogICAgICAg
ICAgPGRpdiBjbGFzcz0iZ21haWxfc2lnbmF0dXJlIiBkYXRhLXNtYXJ0bWFpbD0iZ21haWxfc2ln
bmF0dXJlIj4KICAgICAgICAgICAgPGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6dGFob21hLHNhbnMt
c2VyaWYiPjxmb250IHNpemU9IjIiPi0tPGJyPgogICAgICAgICAgICAgIDwvZm9udD48L2Rpdj4K
ICAgICAgICAgICAgPGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWYiPjxm
b250IHNpemU9IjIiPlJvZG9sZm8KICAgICAgICAgICAgICAgIE1hcnTDrW5lejwvZm9udD48L2Rp
dj4KICAgICAgICAgIDwvZGl2PgogICAgICAgIDwvZGl2PgogICAgICAgIDxicj4KICAgICAgICA8
ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+T24gVHVlLCBKdW4gMTQsIDIwMTYgYXQgMTE6NTUgUE0s
CiAgICAgICAgICBSb2RvbGZvIE1hcnTDrW5leiA8c3BhbiBkaXI9Imx0ciI+Jmx0OzxhCiAgICAg
ICAgICAgICAgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIiBocmVmPSJtYWlsdG86cm10emN4QGdtYWls
LmNvbSIKICAgICAgICAgICAgICB0YXJnZXQ9Il9ibGFuayI+PGEgY2xhc3M9Im1vei10eHQtbGlu
ay1hYmJyZXZpYXRlZCIgaHJlZj0ibWFpbHRvOnJtdHpjeEBnbWFpbC5jb20iPnJtdHpjeEBnbWFp
bC5jb208L2E+PC9hPiZndDs8L3NwYW4+IHdyb3RlOjxicj4KICAgICAgICAgIDxibG9ja3F1b3Rl
IGNsYXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowIDAgMAogICAgICAgICAgICAuOGV4
O2JvcmRlci1sZWZ0OjFweCAjY2NjIHNvbGlkO3BhZGRpbmctbGVmdDoxZXgiPgogICAgICAgICAg
ICA8ZGl2IGRpcj0ibHRyIj4KICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0
IgogICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5zLXNlcmlmO2Zv
bnQtc2l6ZTpzbWFsbCI+SGksPGJyPgogICAgICAgICAgICAgICAgPGJyPgogICAgICAgICAgICAg
IDwvZGl2PgogICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAgICAg
ICAgICAgICBzdHlsZT0iZm9udC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXplOnNt
YWxsIj5JCiAgICAgICAgICAgICAgICBhbSBoYXZpbmcgYW4gaXNzdWUgd2l0aCBPVkFMIHRlc3QK
ICAgICAgICAgICAgICAgIGZpbGVfcGVybWlzc2lvbnNfdW5ncm91cG93bmVkIGluIENlbnRPUyA1
LiBJIGJlbGlldmUgaXQKICAgICAgICAgICAgICAgIGlzIGEgYnVnIGluIHRoZSBvc2NhcCB2ZXJz
aW9uIHRoYXQgaXQgaXMgYXZhaWxhYmxlIGluCiAgICAgICAgICAgICAgICBDZW50T1MgNSAoa2lu
ZCBvZiBvbGQsIHYxLjAuOCkuPGJyPgogICAgICAgICAgICAgICAgPGJyPgogICAgICAgICAgICAg
IDwvZGl2PgogICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAgICAg
ICAgICAgICBzdHlsZT0iZm9udC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXplOnNt
YWxsIj5IZXJlCiAgICAgICAgICAgICAgICBpcyB0aGUgcHJvY2VkdXJlIEkgYW0gZG9pbmc6PGJy
PgogICAgICAgICAgICAgICAgPGJyPgogICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAgICAg
IDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAgICAgICAgICAgICBzdHlsZT0iZm9udC1m
YW1pbHk6dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXplOnNtYWxsIj4xLgogICAgICAgICAgICAg
ICAgRG93bmxvYWQgYW5kIGJ1aWxkIHNjYXAtc2VjdXJpdHktZ3VpZGUgZm9yIFJIRUw1IGluIG15
CiAgICAgICAgICAgICAgICBGZWRvcmEgMjMgbWFjaGluZTsgdGhlbiBjb3B5IHRoZSBvdXRwdXQg
dG8gbXkgQ2VudE9TIDUKICAgICAgICAgICAgICAgIHRlc3Rpbmcgc2VydmVyOjxicj4KICAgICAg
ICAgICAgICAgIDxicj4KICAgICAgICAgICAgICAgIHdnZXQgPGEgbW96LWRvLW5vdC1zZW5kPSJ0
cnVlIgpocmVmPSJodHRwczovL2dpdGh1Yi5jb20vT3BlblNDQVAvc2NhcC1zZWN1cml0eS1ndWlk
ZS9hcmNoaXZlL3YwLjEuMjkudGFyLmd6IgogICAgICAgICAgICAgICAgICB0YXJnZXQ9Il9ibGFu
ayI+aHR0cHM6Ly9naXRodWIuY29tL09wZW5TQ0FQL3NjYXAtc2VjdXJpdHktZ3VpZGUvYXJjaGl2
ZS92MC4xLjI5LnRhci5nejwvYT4KICAgICAgICAgICAgICAgIC1PIHNjYXAtc2VjdXJpdHktZ3Vp
ZGUtMC4xLjI5LnRhci5nejxicj4KICAgICAgICAgICAgICAgIDxicj4KICAgICAgICAgICAgICAg
IHRhciAtenhmIHNjYXAtc2VjdXJpdHktZ3VpZGUtMC4xLjI5LnRhci5nejxicj4KICAgICAgICAg
ICAgICAgIDxicj4KICAgICAgICAgICAgICAgIG1ha2UgLUMgc2NhcC1zZWN1cml0eS1ndWlkZS0w
LjEuMjkvUkhFTC81IGRpc3Q8YnI+CiAgICAgICAgICAgICAgICA8YnI+CiAgICAgICAgICAgICAg
ICBzY3AgLXIgc2NhcC1zZWN1cml0eS1ndWlkZS0wLjEuMjkvUkhFTC81L2Rpc3QvY29udGVudAog
ICAgICAgICAgICAgICAgY2VudG9zNS10ZXN0Ojxicj4KICAgICAgICAgICAgICAgIDxicj4KICAg
ICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0
IgogICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5zLXNlcmlmO2Zv
bnQtc2l6ZTpzbWFsbCI+Tm93CiAgICAgICAgICAgICAgICBpbiB0aGUgQ2VudE9TIDUgdGVzdGlu
ZyBzZXJ2ZXIsIGNyZWF0ZSBhIHRhaWxvcmluZyBmaWxlCiAgICAgICAgICAgICAgICB0byBydW4g
ZmlsZV9wZXJtaXNzaW9uc191bmdyb3Vwb3duZWQgdGVzdCBhbG9uZTo8YnI+CiAgICAgICAgICAg
ICAgICA8YnI+CiAgICAgICAgICAgICAgICBjYXQgJmd0O3NzZy1jZW50b3M1LXhjY2RmLXRhaWxv
cmluZy54bWwgJmx0OyZsdDsiRU9GIjxicj4KICAgICAgICAgICAgICAgICZsdDs/eG1sIHZlcnNp
b249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8mZ3Q7PGJyPgogICAgICAgICAgICAgICAgJmx0O1Rh
aWxvcmluZyB4bWxucz0iPGEgbW96LWRvLW5vdC1zZW5kPSJ0cnVlIgogICAgICAgICAgICAgICAg
ICBocmVmPSJodHRwOi8vY2hlY2tsaXN0cy5uaXN0Lmdvdi94Y2NkZi8xLjIiCiAgICAgICAgICAg
ICAgICAgIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vY2hlY2tsaXN0cy5uaXN0Lmdvdi94Y2NkZi8x
LjI8L2E+IgogICAgICAgICAgICAgICAgaWQ9InhjY2RmX3NzZy1jZW50b3M1X3RhaWxvcmluZ194
Y2NkZiImZ3Q7PGJyPgogICAgICAgICAgICAgICAgwqDCoMKgICZsdDt2ZXJzaW9uCiAgICAgICAg
ICAgICAgICB0aW1lPSIyMDE2LTA2LTE0VDE5OjUwOjU3IiZndDsxJmx0Oy92ZXJzaW9uJmd0Ozxi
cj4KICAgICAgICAgICAgICAgIMKgwqDCoCAmbHQ7UHJvZmlsZQogICAgICAgICAgICAgICAgaWQ9
InhjY2RmX215X3Byb2ZpbGVfc3RpZy1jZW50b3M1LXVwc3RyZWFtX3RhaWxvcmVkIiZndDs8YnI+
CiAgICAgICAgICAgICAgICDCoMKgwqDCoMKgwqDCoCAmbHQ7dGl0bGUmZ3Q7Q2VudE9TIDUgW1RB
SUxPUkVEXSZsdDsvdGl0bGUmZ3Q7PGJyPgogICAgICAgICAgICAgICAgwqDCoMKgwqDCoMKgwqAg
Jmx0O3NlbGVjdCBpZHJlZj0iZmlsZV9wZXJtaXNzaW9uc191bmdyb3Vwb3duZWQiCiAgICAgICAg
ICAgICAgICBzZWxlY3RlZD0idHJ1ZSIvJmd0Ozxicj4KICAgICAgICAgICAgICAgIMKgwqDCoCAm
bHQ7L1Byb2ZpbGUmZ3Q7PGJyPgogICAgICAgICAgICAgICAgJmx0Oy9UYWlsb3JpbmcmZ3Q7PGJy
PgogICAgICAgICAgICAgICAgRU9GPGJyPgogICAgICAgICAgICAgICAgPGJyPgogICAgICAgICAg
ICAgIDwvZGl2PgogICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAg
ICAgICAgICAgICBzdHlsZT0iZm9udC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXpl
OnNtYWxsIj5DcmVhdGUKICAgICAgICAgICAgICAgIGEgZmlsZSB3aXRob3V0IGNvcnJlc3BvbmRp
bmcgZ3JvdXAgaW4gL2V0Yy9ncm91cDo8YnI+CiAgICAgICAgICAgICAgICA8YnI+CiAgICAgICAg
ICAgICAgICB0b3VjaCAvYW5fdW5vd25lZF9ncm91cF9maWxlPGJyPgogICAgICAgICAgICAgICAg
PGJyPgogICAgICAgICAgICAgICAgY2hncnAgNDU2NyAvYW5fdW5vd25lZF9ncm91cF9maWxlPGJy
PgogICAgICAgICAgICAgICAgPGJyPgogICAgICAgICAgICAgICAgZmluZCAvIC1ub2dyb3VwIDIm
Z3Q7L2Rldi9udWxsPGJyPgogICAgICAgICAgICAgICAgL2FuX3Vub3duZWRfZ3JvdXBfZmlsZSAm
bHQ7LS0gQ2hlY2sgdGhhdCBpdCBpcyBmb3VuZCA8YnI+CiAgICAgICAgICAgICAgICA8YnI+CiAg
ICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iZ21haWxfZGVmYXVs
dCIKICAgICAgICAgICAgICAgIHN0eWxlPSJmb250LWZhbWlseTp0YWhvbWEsc2Fucy1zZXJpZjtm
b250LXNpemU6c21hbGwiPjxicj4KICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICA8
ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IgogICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFt
aWx5OnRhaG9tYSxzYW5zLXNlcmlmO2ZvbnQtc2l6ZTpzbWFsbCI+RmluYWxseQogICAgICAgICAg
ICAgICAgcnVuIG9zY2FwOjxicj4KICAgICAgICAgICAgICAgIDxicj4KICAgICAgICAgICAgICAg
IG9zY2FwIHhjY2RmIGV2YWwgXDxicj4KICAgICAgICAgICAgICAgIMKgwqDCoCAtLXRhaWxvcmlu
Zy1maWxlIHNzZy1jZW50b3M1LXhjY2RmLXRhaWxvcmluZy54bWwgXDxicj4KICAgICAgICAgICAg
ICAgIMKgwqDCoCAtLXByb2ZpbGUKICAgICAgICAgICAgICAgIHhjY2RmX215X3Byb2ZpbGVfc3Rp
Zy1jZW50b3M1LXVwc3RyZWFtX3RhaWxvcmVkIFw8YnI+CiAgICAgICAgICAgICAgICDCoMKgwqAg
LS1jcGUgY29udGVudC9zc2ctcmhlbDUtY3BlLWRpY3Rpb25hcnkueG1sIFw8YnI+CiAgICAgICAg
ICAgICAgICDCoMKgwqAgY29udGVudC9zc2ctY2VudG9zNS14Y2NkZi54bWw8YnI+CiAgICAgICAg
ICAgICAgICA8YnI+CiAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgPGRpdiBjbGFz
cz0iZ21haWxfZGVmYXVsdCIKICAgICAgICAgICAgICAgIHN0eWxlPSJmb250LWZhbWlseTp0YWhv
bWEsc2Fucy1zZXJpZjtmb250LXNpemU6c21hbGwiPi4uLgogICAgICAgICAgICAgICAgYW5kIG91
dHB1dCBpczo8YnI+CiAgICAgICAgICAgICAgICA8YnI+CiAgICAgICAgICAgICAgICBUaXRsZcKg
wqAgRW5zdXJlIEFsbCBGaWxlcyBBcmUgT3duZWQgYnkgYSBHcm91cDxicj4KICAgICAgICAgICAg
ICAgIFJ1bGXCoMKgwqAgZmlsZV9wZXJtaXNzaW9uc191bmdyb3Vwb3duZWQ8YnI+CiAgICAgICAg
ICAgICAgICBJZGVudMKgwqAgR0VOMDAxMTcwPGJyPgogICAgICAgICAgICAgICAgUmVzdWx0wqAg
cGFzczxicj4KICAgICAgICAgICAgICAgIDxicj4KICAgICAgICAgICAgICA8L2Rpdj4KICAgICAg
ICAgICAgICA8ZGl2IGNsYXNzPSJnbWFpbF9kZWZhdWx0IgogICAgICAgICAgICAgICAgc3R5bGU9
ImZvbnQtZmFtaWx5OnRhaG9tYSxzYW5zLXNlcmlmO2ZvbnQtc2l6ZTpzbWFsbCI+SQogICAgICAg
ICAgICAgICAgd291bGQgZXhwZWN0IHRoYXQgdGhlIHRlc3QgZmFpbHMgc2luY2UgdGhlcmUgaXMg
YXQgbGVhc3QKICAgICAgICAgICAgICAgIG9uZSBmaWxlIHdpdGhvdXQgZXhpc3RpbmcgZ3JvdXAu
PGJyPgogICAgICAgICAgICAgICAgPGJyPgogICAgICAgICAgICAgIDwvZGl2PgogICAgICAgICAg
ICAgIDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAgICAgICAgICAgICBzdHlsZT0iZm9u
dC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXplOnNtYWxsIj5JCiAgICAgICAgICAg
ICAgICB0b29rIGEgbG9vayBhdCB0aGUgT1ZBTCBkZWZpbml0aW9uCiAgICAgICAgICAgICAgICBz
Y2FwLXNlY3VyaXR5LWd1aWRlLTAuMS4yOS9SSEVMLzUvaW5wdXQvb3ZhbC9maWxlX3Blcm1pc3Np
b25zX3VuZ3JvdXBvd25lZC54bWwKICAgICAgICAgICAgICAgIGJ1dCBJIGRvIG5vdCBzZWUgYW55
dGhpbmcgd3JvbmcuPGJyPgogICAgICAgICAgICAgICAgPGJyPgogICAgICAgICAgICAgIDwvZGl2
PgogICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImdtYWlsX2RlZmF1bHQiCiAgICAgICAgICAgICAg
ICBzdHlsZT0iZm9udC1mYW1pbHk6dGFob21hLHNhbnMtc2VyaWY7Zm9udC1zaXplOnNtYWxsIj5E
bwogICAgICAgICAgICAgICAgeW91IGhhdmUgYW55IGlkZWEgd2h5IHRoaXMgdGVzdCBpcyBwYXNz
aW5nIHdoZW4gaXQKICAgICAgICAgICAgICAgIHNob3VsZCBmYWlsPzxicj4KICAgICAgICAgICAg
ICAgIDxicj4KICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJn
bWFpbF9kZWZhdWx0IgogICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5OnRhaG9tYSxz
YW5zLXNlcmlmO2ZvbnQtc2l6ZTpzbWFsbCI+UmVnYXJkczxicj4KICAgICAgICAgICAgICA8L2Rp
dj4KICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICA8L2Jsb2NrcXVvdGU+CiAgICAgICAgPC9k
aXY+CiAgICAgIDwvZGl2PgogICAgPC9ibG9ja3F1b3RlPgogICAgPGJyPgogICAgSGkgUm9kb2xm
bywgPGJyPgogICAgPGJyPgogICAgwqDCoMKgIFRoYW5rcyBmb3IgcmVwb3J0aW5nIHRoaXMhIEkn
dmUgdXBkYXRlZCB0aGUgUkhFTDUgY29udGVudCB0byB1c2UKICAgIHRoZSB1cGRhdGVkIGZpbGVf
cGVybWlzc2lvbnNfdW5ncm91cG93bmVkIGNoZWNrOjxicj4KICAgIDxhIGNsYXNzPSJtb3otdHh0
LWxpbmstZnJlZXRleHQiIGhyZWY9Imh0dHBzOi8vZ2l0aHViLmNvbS9PcGVuU0NBUC9zY2FwLXNl
Y3VyaXR5LWd1aWRlL3B1bGwvMTI5NiI+aHR0cHM6Ly9naXRodWIuY29tL09wZW5TQ0FQL3NjYXAt
c2VjdXJpdHktZ3VpZGUvcHVsbC8xMjk2PC9hPjxicj4KICAgIDxicj4KICAgIMKgwqDCoCBUaGF0
IHNob3VsZCBnZXQgbWVyZ2VkIGluIHRoZSBuZXh0IGZldyBkYXlzIHBlbmRpbmcgcGVlciByZXZp
ZXcuCiAgICBJZiB5b3UgY291bGQgdGVzdCB0aGUgUFIgYW5kIHZlcmlmeSB0aGlzIHdvcmtzIGZv
ciB5b3UsIHRoYXQnZCBiZQogICAgZ3JlYXQhPGJyPgogICAgPGJyPgogICAgU2hhd24KICA8L2Jv
ZHk+CjwvaHRtbD4K

--===============3712085126929987884==--